Craig Silliman Craig Silliman

Despite Yahoo Inc.’s recently revealed data breaches, the deal with Verizon Communications Inc. is still on, though some revisions have been made, including a $350 million haircut. With the transaction expected to close later this year, Craig Silliman, executive vice president of public policy and general counsel at Verizon, sees lessons for legal departments in the deal.

Since Verizon and Yahoo entered into the July 2016 stock purchase agreement under which Verizon would acquire Yahoo’s operating business, Yahoo has announced two massive data breaches. First, in September of last year, Yahoo, which did not immediately respond to request for comment on the deal, confirmed that a 2014 hack impacted at least 500 million customer email accounts. Then in December 2016, the company admitted that it had suffered yet another breach in 2013, that had affected more than one billion user accounts. The disclosure of the breaches led to speculation that Verizon might be looking to back out of the deal, negotiate a lower price or have Yahoo assume responsibility for lasting damages caused by the hack.

A Feb. 21 U.S. Securities and Exchange Commission filing from Verizon revealed that the deal is moving forward with some adjustments. The acquisition price will be reduced from approximately $4.83 billion in cash to roughly $4.48 billion. And the remaining part of Yahoo, which is slated to be called “Altaba Inc.,” will retain 50 percent of “certain post-closing liabilities arising out of governmental or third-party investigations, litigations or other claims related to certain user security and data breaches” and will continue to be liable for SEC investigations and shareholder lawsuits.

With the announcement of the newly revised deal, there are a handful of lessons to be learned, said Silliman, who assumed his current position in January 2015. The first is the importance of having a strategy on how to handle the news of the breaches, which Silliman said was in place from very early on. “In our case, a breach of user data, when users and user engagement were a core reason we were buying, meant we had to take this really seriously,” Silliman explained.

So the strategy, Silliman said, was to consider whether Verizon would still be buying an asset in line with the original goals of the deal and then considering questions such as: How do investors view this and what’s the cost of delaying the closing of the deal? “There were a lot of variables that we factored in,” Silliman said, but with the revisions to the agreement, the ultimate conclusion was that the deal is still a smart move for the company.

Disciplined messaging was also really important as Verizon considered what the news of the breaches meant for the deal, Silliman said. “Effectively, every public statement was a variation of the same core messages,” which Silliman explained were focused on conveying that Verizon was still evaluating whether the deal made strategic sense.

“This was important legally because anything we said publicly could be used in any potential litigation,” he said. “And also there’s messaging to a lot of different audiences … so we were really deliberate on what we were saying and who was going to say it.”

Silliman said in the wake of the breaches, one of the first things looked at was what the agreement with Yahoo said and what it allowed for. It was critical to be familiar with and understand the specifics of the deal, he explained. “Just because something happened doesn’t mean you get to rip up the deal and start from scratch,” he said. “[The agreement] tells you what the cards are that are in your hand … and you need to be very clear-eyed about what the cards are.”

Some have questioned whether Verizon should have done more or better due diligence to uncover Yahoo’s breaches. But Silliman disagrees. “There is no way you can do due diligence and find something … that the company itself hasn’t found,” he said, adding that this is why representations and warranties are added to these agreements.

“I don’t think one of the lessons learned is the need for due diligence around data breaches,” he said. “I do think it points to the importance of reps and warranties around data breaches.”