Skip to content

Risk Register (Yahoo MDL (2018))

Purpose

This register captures material risks highlighted by Yahoo MDL (2018) with severity, impact pathway, mitigation plan, and evidence expectations. It is intended for ongoing governance and audit use so risk acceptance, remediation progress, and accountability remain explicit over time.

Risk Register

MDL-STAND-01 — Standing and pleading exposure volatility

  • Severity: High
  • Description: The March 2018 MDL opinion shaped which harm theories proceed, creating variability in litigation trajectory and discovery burden.
  • Impact: Unstable motion outcomes increase legal cost and governance uncertainty over multi-year proceedings.
  • Mitigation: Coordinated legal-technical fact development, preservation strategy, and expert alignment on injury and misuse narratives.
  • Evidence: Court-filings tracker, discovery hold notices, expert workplan milestones, legal status reports.

ACC-TAKE-02 — Account integrity and takeover pressure

  • Severity: High
  • Description: Large-scale account compromise narratives elevate risk of recurring abuse and consumer harm allegations.
  • Impact: Continued account abuse can amplify damages theories and reputational harm.
  • Mitigation: MFA expansion, abuse detection tuning, and response playbooks for credential stuffing and suspicious session activity.
  • Evidence: MFA coverage metrics, SOC alert reports, incident timelines, remediation ticket history.

LOG-EVID-03 — Forensic logging and evidence completeness gaps

  • Severity: High
  • Description: Legacy systems create uneven logging and retention, complicating reconstruction of events.
  • Impact: Weak evidentiary posture in litigation and slower regulator/court response.
  • Mitigation: Centralize logging, enforce retention standards, and maintain control-to-evidence mapping with legal hold tags.
  • Evidence: SIEM coverage reports, retention policy attestations, evidence index, audit findings.

LEGACY-INT-04 — Legacy integration control inconsistency

  • Severity: Medium
  • Description: Inherited stacks and historic architecture differences produce uneven control implementation.
  • Impact: Residual vulnerabilities and repeated findings prolong risk acceptance cycles.
  • Mitigation: Prioritized legacy hardening roadmap with dated exceptions and compensating controls.
  • Evidence: Architecture exception register, remediation milestones, change approvals, test results.

GOV-CAD-05 — Governance reporting cadence drift

  • Severity: Medium
  • Description: Inconsistent executive/committee reporting weakens oversight of open critical risks.
  • Impact: Decision latency and inability to show durable oversight in legal scrutiny.
  • Mitigation: Standardized quarterly risk pack with aging, owner accountability, and escalation thresholds.
  • Evidence: Board/risk committee packs, meeting minutes, risk acceptance log.
© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM