Issues of Cybersecurity and Issues with Material Adverse Change Provisions

Posted on by Paul Kako

On July 25, 2016, it was announced that Verizon would buy Yahoo for $4.83 billion.1 On September 22, 2016, Yahoo announced that personal data from at least 500 million accounts was stolen back in 2014.2 During a merger and acquisition, both parties undergo an extensive due diligence process. Part of this process does includes the buyer undertaking a cybersecurity assessment of the target company.3 Due to the recent breach of Yahoo accounts, questions have come up regarding the lack of consensus on data security terms in a merger, along with questions as to how these events impact a pending deal.

In the agreement between Yahoo and Verizon, there were several cybersecurity provisions.4 One of those provisions was that Yahoo “implemented and maintained ‘reasonable’ information security practices”5 Another provision stated that Yahoo was not aware of any breach that would have a “business material adverse effect.”6 While this language could lead to issues that are resolved in litigation and impact the end deal and length of the merger, questions still remain as what the ideal method of drafting cybersecurity provisions is.7

What constitutes a material adverse change is usually defined in an agreement, but in a general sense, it is defined as “any material adverse change in the business, results of operations, assets, liabilities, or financial condition of the Seller, as determined from the perspective of a reasonable person in the Buyer’s position.8 The question then becomes whether a data breach, or other issues regarding cybersecurity, is material. The issue here, however, is because large-scale hacking is a relatively new phenomenon, the case law is not as helpful to provide the necessary answers. Therefore, transactional attorneys at times define material as “significant”; something important enough to merit attention.9 But this definition is not very helpful and it raises further issues as how one determines what is significant.10 Is it by the size of the breach? The importance of the information the hackers obtained? The monetary impact on the business? In a leading case on these provisions, the court in IBP, Inc. v. Tyson Foods, Inc. held that these provisions must be read “in the larger context in which the parties were transacting.”11 This means that what constitutes “material” could be viewed from the prospective of a reasonable decision maker, or from the party evoking the provision. Another issue with this type of provision is that, in the cyber context, issues are not as easily quantifiable (as opposed to financial performance, for example) and so parties can differ on what it is intended to mean, as shown above.12 In the case of the Verizon-Yahoo merger, a lawyer for Verizon recently claimed that the information regarding the breach is a material adverse change and that the terms or the price could be changed.13 It’s not clear exactly which interpretation Verizon will argue for, but the situation between Verizon and Yahoo is still very fluid and the end result will most likely have an impact on how future corporations handle these issues, should they arise in a merger.

The recent revelations about Yahoo have highlighted a few noteworthy topics of discussion. First, cybersecurity will become a larger part of the merger and acquisition process. In fact, in a recent survey 78% of respondents believe that cybersecurity is not dealt with in great depth as part of the due diligence process of a merger, even though 83% of those respondents also believe that a deal could be abandoned is past cybersecurity breaches were made known to the buyer and the public. 14 Second, because this issue will most likely continue to impact business, contracts should draft a specific provision into the agreement that covers the specific and important issues that a material adverse change provision cannot. In terms of the Verizon-Yahoo merger, experts have held that the general language in the agreement “is a good start, but still leaves room for extensive litigation.”15

  1. Richard Nieva, Verizon to Buy Yahoo for $4.83 Billion, Merge it with AOL, CNET, https://www.cnet.com/uk/news/verizon-buying-yahoo-likely-merging-it-with-aol/. 

  2. Nicole Perlroth, Yahoo Hackers Plundered Data on 500 Million, N.Y. TIMES, September 23, 2016, at A3. 

  3. ALEXEI ALEXIS, YAHOO HACK SEEN AS POSSIBLE M&A GAME-CHANGER, 14 CARE Issue No. 19 (2016) Bloomberg Law. 

  4. Id. 

  5. Id. 

  6. Id. 

  7. Id. 

  8. Kenneth A. Adams, A Legal-Usage Analysis of “Material Adverse Change” Provisions, 10 FORDHAM J. CORP. & FIN. L. 9, 21 (2004). 

  9. Id. at 23. 

  10. Id. 

  11. 789 A.2d 14, 67 (Del. Ch. 2001). 

  12. Alexei Alexis, Yahoo Hack Seen as Possible M&A Game-Changer, 14 CARE Issue No. 19 (2016) Bloomberg Law. 

  13. David Shepardson, Verizon Believes Yahoo Email Hacking ‘Material,’ Could Affect Deal, REUTERS, http://www.reuters.com/article/verizon-yahoo-cyber-idUSL1N1CJ1L3?feedType=RSS&feedName=technologySector. 

  14. FRESHFIELDS BRUCKHAUS DERINGER, CYBER SECURITY IN M&A 6 (2014), http://www.freshfields.com/uploadedFiles/SiteWide/News_Room/Insight/Campaigns/Cyber_security_in_MandA/01214_BS_MBD_Media_MA%20Cyber%20Security%20Report_WEB_AW.PDF. 

  15. Alexei Alexis, Yahoo Hack Seen as Possible M&A Game-Changer, 14 CARE Issue No. 19 (2016) Bloomberg Law. 

Category: Blog Articles