On Wednesday Yahoo announced that they had discovered a 3-year-old security breach that exposed more than a billion user accounts to hackers. And that’s just the start of their bad week.

Since then the state of the hack has gone from bad, to embarrassing, to embarrassingly bad, putting its deal with Verizon in serious risk. Which just goes to show you that even as regulators parry about with what proper cybersecurity looks like, the market seems to be pretty clear on what it expects: total privacy.

Yahoo was already the holder of the title for most far-reaching hack, after revealing a hack from 2014 earlier this year that reached about 500 million users. The heist disclosed Wednesday actually dates back to August 2013, one year prior to the first-announced attack this year and with one billion people affected by this attack alone.

Photo Credit: superfluity cc
Photo Credit: superfluity cc

Though Yahoo hasn’t said if they believe the same hacker pulled off both heists, they have said that the stolen information included names, email addresses, phone numbers, birthdates and security questions and answers, though they believe no bank account information or payment-card data was compromised.

But that may not be enough of a silver lining for Verizon, who were in the process of negotiating a deal to acquire Yahoo. Its $4.83 billion deal is now, reportedly, being reassessed as part of a “price cut or possible exit” from the deal.

Which makes sense: In this day and age, cybersecurity is a consideration for every business. Hackers are into any sort of data they can get their hands on, and chances are something in your system will be valuable to them. Users these days favor total security (if such a thing exists anymore) and it’s very hard to promise that as a technology company whose hacks are the top two most far-reaching hacks ever pulled off. That it appears more than 150,000 of the Yahoo accounts compromised were U.S. government and military employees, makes Yahoo look like scorched Earth for Verizon possibly hoping to do government business.

While the government’s requirements for what companies need to do in a data breach are clear cut, they’re mostly concerned with what happens after the breach has occurred—proper notification, credit monitoring, etc. Verizon’s move shows that companies, at least, aren’t going to ignore what companies are doing that lead to hacks.

Hacks happen to everyone, of course. But two major hacks happening within a year of each other, exposing most of your billion active users to hacks—that’s sloppy. And though 75 percent of companies don’t have adequate cybersecurity incident response plans, it’s a safe bet that it’s going to start being important criteria to doing business with any company. So as Stephen H. Jett writes for Privacy & Data Security Insight, it’s vital to be proactive about this sort of thing:

Lest the magnitude of the cybersecurity risk be underestimated, data breaches are now on track to cost companies $2.1 trillion globally by 2019.  And it is more critical now than ever for corporate boards to be keenly cognizant of the fact that “’security is not just a legal issue; it’s not just an IT issue.’  Instead . . . every in-house counsel should engage boards and the CEO to make sure that it’s an ‘organizational priority.’”

Boards should not “count on luck but rather on a plan that anticipates where a security breach might occur, what the target and magnitude might be, and how it can be effectively contained.” The potential damage from a data breach can be far-reaching and crippling:  disruptions in crucial operations, destruction of critical data, and reputational damage, among other things. “Smart boards ensure their companies are continually on alert, preventing those breaches they can and ready to spring into action when something untoward occurs. . . . You don’t want to waste precious time scrambling when there’s a breach, so make sure the board had ongoing line of sight into security-related budgets, company policies, and leadership roles and responsibilities in case there is an event.”

Because even if regulators won’t come after you, corporate interests definitely will.