Skip to Content

Yahoo Faces Main Legal Fallout From Hacks Under Verizon Deal

The troubled merger between Yahoo (YHOO) and Verizon (VZ) appears set to close as the companies officially agreed to new terms that put a price on a catastrophic series of security breaches that affected more than a billion customer accounts.

The companies are reducing the original $4.83 billion price of the deal by $350 million, which is consistent with reports that surfaced last week.

In a statement issued Tuesday morning, the companies also disclosed important new details about who will pay for the legal costs associated with the hacking activity, which included a breach of 1 billion accounts in 2013 and a second breach of more than 500,000 accounts in 2014. News of the breaches became public last year after Verizon announced it would acquire Yahoo.

According to the revised terms, Yahoo and Verizon will share the legal costs from consumer class action cases related to the breaches. But Yahoo alone will absorb the cost of liabilities related to investor lawsuits and an ongoing Security and Exchange Commission lawsuits.

This is significant because many in the legal community believe the SEC sees the Yahoo incidents as a test case to define its rules about how and when a company must notify investors about a data breach. (The current SEC rules, issued in 2011, require a company to report data breaches that could have a “material adverse effect on the business” but offered little guidance beyond that.)

Get Data Sheet, Fortune’s technology newsletter.

If the SEC finds Yahoo was not forthcoming about the breaches, it could open the door to large fines from the agency, and from any shareholders misled by Yahoo’s silence on the matter.

Meanwhile, the cost of consumer class action suits may not be as severe. Typically, the law firms that bring such class actions agree to settle the cases for millions of dollars in legal fees and a promise of better behavior from the company, while the affected consumers receive little or nothing in terms of financial compensation.

The actual facts about the hacking incidents, and how Yahoo addressed them, remain shrouded in secrecy. While the company says some on the security team learned about a breach in 2014, it is unclear if senior management knew about it before last year, or if anyone in the company covered up the severity of the incidents.

The breaches, which Yahoo has blamed on “nation-state actors,” saw hackers obtain information like customers’ names, emails, birthdays and the answers to password-related security questions.