After Cyberstalking Settlement, eBay Quietly Rewrites Board Oversight Rules

One day after eBay quietly settled the cyberstalking lawsuit brought by journalists Ina and David Steiner, the company’s board adopted new charters for every major board committee: Audit, Risk, Technology, Compensation and Human Capital, and Corporate Governance and Nominating.

The timing may be coincidental, but it also raises a broader question. After years of telling regulators and investors that it has rebuilt its culture in the wake of the 2019 scandal, do these governance updates represent real change or minimum viable compliance box-checking needed to move past the crisis?

The corporate plot targeted the Steiners for their reporting on eBay at EcommerceBytes while seeking to identify an anonymous source and commenter who went by the name Fidomaster/unsuckEBAY on Twitter.

Court records revealed details of a harassment campaign carried out by eBay security personnel led by Senior Security Director Jim Baugh, including threatening messages, disturbing deliveries, doxxing, in-person surveillance and an attempted break-in at the couple’s home.

Baugh and six other employees ultimately pleaded guilty. In 2024, eBay entered a deferred prosecution agreement admitting to six felony offenses, paying a $3 million fine and agreeing to three years of enhanced compliance monitoring.

That payment went to the U.S. Treasury, leaving the Steiners to pursue compensation through a civil lawsuit filed in 2021 against the criminal defendants, eBay, former CEO Devin Wenig, former Chief Communications Officer Steve Wymer and former SVP of Global Operations Wendy Jones.

The trial was scheduled to begin March 2, 2026, but the case settled with undisclosed terms on February 25, leaving broader governance and compliance questions unresolved.

The eBay Stalking Saga Ends in Settlement — But Not Closure

eBay stalking scandal civil suit settles days before trial, ending a 5-year legal fight while key questions remain unanswered.

Value Added ResourceLiz Morton

The updated board committee charters all share a similar basic framework:

Each committee “assists the Board in fulfilling its oversight responsibilities” for a defined slice of the risk pie and meets “as often as [it] deems appropriate and as required under applicable law,” with authority to bring in outside advisors. Minutes go to all directors, committees periodically update the full board and flag significant issues to one another, and each runs an annual self-evaluation with recommended charter changes.

That repeated emphasis on committees “assisting” the Board, while risk management itself remains the responsibility of management, may sound like boilerplate, but in the wake of the cyberstalking scandal it carries legal weight.

By framing committees as reviewers of systems and reports rather than actors responsible for operational decisions, the board is reinforcing a classic Caremark defense under Delaware law: directors oversee risk management, but management runs it.

Layered on top of that template is a sharper division of labor as eBay tries to more clearly define board oversight in the wake of the biggest public scandal in its 30-year history.

Audit

The new Audit Committee charter narrows its mission to what the SEC and PCAOB actually charge audit committees with doing: overseeing financial reporting, internal controls over financial reporting, and the independent auditors.

General “compliance with legal and regulatory requirements,” Code of Conduct oversight, and responsibility for the Related‑Person Transactions Policy which were previously assigned to the Audit Committee have now been split out to other committees.

Audit can still see compliance issues where they intersect with financial reporting and controls, but it's no longer the catch-all repository for whatever doesn’t fit elsewhere - meaning responsibility for ethics, compliance and regulatory risk is now spread across multiple committees.

Corporate Governance and Nominating

The Corporate Governance and Nominating Committee (CGNC) is keeping its traditional mechanics (director nominations, committee assignments, governance guidelines) but now adds a substantial ethics and ESG portfolio.

Under the new charter, it reviews the Code of Conduct at least annually, oversees compliance monitoring and waiver requests for directors, executive officers and senior finance, and makes recommendations to the board on those waivers, while “periodically” receiving reports on Code violations and waiver requests directly from the Chief Ethics Officer and Chief Legal Officer.

It also reviews “tone and culture (the ‘tone from the top’)” on ethics and compliance, oversees the Insider Trading Policy and violations, and takes the lead on “responsible business, sustainability, philanthropy and climate matters,” including the content of sustainability and climate reports except for quantitative metrics reserved to Audit.

CGNC is also responsible for board‑level oversight of risks relating to social issues, political contributions and public‑policy positions and for advising the board on management and shareholder proposals, with regular updates on governance‑related shareholder engagement.

In short, it’s the committee where Code of Conduct, ethics, insider trading, sustainability and public‑policy risk are supposed to be surfaced and discussed.

Technology

The Technology Committee moves from a generic mix of tech strategy plus cyber/data/site risk to an explicitly risk‑focused brief. It still reviews key technology plans and initiatives, but the new charter emphasizes “technology risk areas,” including cybersecurity, technology‑related resilience, data management and site availability.

It also takes on a new role overseeing “responsible AI practices, including AI ethics, bias mitigation and model transparency,” and is asked to review risk‑factor disclosures in the 10‑K and 10‑Q that relate to its domain.

The new charter does not mention any specific executive officer that is required to report to this committee, but it should be noted that Chief Privacy Officer, VP AI and Data Responsibility, Dr. Anna Zeiter, departed the company in December with no successor yet publicly named.

eBay Chief Privacy Officer, VP AI & Data Responsibility Anna Zeiter Departs

eBay’s Chief Privacy Officer & VP AI & Data Responsibility, Anna Zeiter departs after 11.5 years at the company.

Value Added ResourceLiz Morton

Compensation and Human Capital

The Compensation and Human Capital Committee keeps control over executive and board pay, compensation discussion and analysis, clawbacks, and human‑capital strategy, but its purpose is now framed explicitly around oversight of “the compensation of the Company’s executives and the Company’s human capital management strategy and practices.”

Its duties emphasize reviewing the risks associated with compensation policies and HCM practices and evaluating whether they encourage excessive risk‑taking.

The clawback section now makes clear the committee can and should receive input from other board committees when deciding whether a clawback‑triggering event has occurred - a provision that is almost certainly tied to governance issues directly related to the stalking scandal.

eBay Governance Crisis: Cyberstalking Case Ethics, Compliance & Disclosure Failures Call For Shareholder Scrutiny

As eBay cyberstalking civil case continues to trial, new questions emerge about corporate governance, compliance, disclosure & ethics failures at the company.

Value Added ResourceLiz Morton

eBay's internal investigation into the matter noted that Wenig and Wymer's tone and communications were "inappropriate" but the company believed their actions were not criminal.

Wymer was fired for cause in September 2019 in connection with these events, though that fact didn't stop him from landing a new gig as CEO of the Boys & Girls Club of the Silicon Valley, thanks to his close ties with then San Jose Mayor Sam Liccardo.

But despite being fired for cause, court documents showed that Wymer still managed to negotiate over $1M in severance in exchange for settling any legal disputes he may have had against eBay related to his termination.

The company was far less transparent about the circumstances of Wenig’s departure. Publicly, eBay described the change in leadership as a resignation, with then-Board chair Thomas Tierney saying Wenig was “stepping down” due to “a number of considerations,” while approving a severance package worth roughly $57 million.

In reality, both the board and Wenig were already aware of the crimes committed by company employees and the internal investigation underway, but none of that was disclosed until criminal charges were filed nine months later in June 2020 - leaving investors to assume Wenig’s departure was simply fallout from activist pressure.

Wenig’s separation agreement itself reflects the ambiguity, referring to his exit both as a resignation and as a termination other than for cause - language consistent with what governance experts often call a “negotiated resignation.”

eBay's standard clawback policy for officers employed at the VP level or above states incentive compensation may be forfeited or required to be paid back in instances of "a material violation of the Company's Code of Business Conduct" or action that causes "material financial or reputational harm to the Company."

This scandal would appear to qualify for both by any objective measure.

And Wenig's separation letter explicitly stated it did not prohibit eBay from seeking to enforce the clawback provisions, the right to recover would also apply to any payments set forth in the agreement, and nothing in the agreement restricted eBay's ability to seek enforcement of their clawback rights.

In response to allegations in the civil suit, eBay confirmed that Wenig's severance was subject to this clawback policy and the Board had meetings to discuss whether to act on that provision, but ultimately decided not to proceed.

Director Ethics Counsel, Anagha Apte, was asked about Board meeting minutes discussing the decision to terminate Wenig's employment in a September 2024 deposition, testifying under oath that his departure was a firing, not a resignation, and that it was directly related to this scandal.

Wendy Jones was allowed to continue in her role as SVP Global Ops through December 2020, when she received an $11M+ severance package, in addition to the $11M bonus Wenig had granted her in 2018.

Presumably the standard clawback policy would also have applied to Ms. Jones, though it is not known whether the board ever considered exercising it.

Devin Wenig and Wendy Jones were also both on overlapping sabbaticals when the crimes occurred - a business continuity red flag made even more striking by the fact that eBay was in the middle of a strategic review forced by activist investors Elliott Management and Starboard Value at the time.

These decisions would have likely fallen under the purview of the Compensation Committee, which in 2019 was led by Paul Pressler.

Notably, not only is Pressler still an eBay director, he has since been elevated to Board Chair as well as Chair of the Corporate Governance and Nominating Committee.

Three other current directors were also on the board in 2019 - Logan Green, Adriane Brown (now Chair of Compensation and Human Capital Committee), and
Perry Traquina (now Chair of Risk Committee).

The board committee structure may have been redesigned, but key members responsible for overseeing the company during the 2019 scandal remain in place.

The new charter for the Compensation and Human Capital Committee attempts to position including other committees in clawback decisions as a broadening of oversight, but it's difficult to take that claim seriously when those committees are still under leftover scandal-era legacy leadership.

Risk

In 2024, the Risk charter listed a few “key risks” (geopolitics, fraud and transaction losses, regulatory compliance), promised an annual check‑in on risk culture, and called for periodic reports from the Chief Compliance Officer on the compliance program’s effectiveness.

In 2026, that laundry list is gone; Risk now has a broad, residual remit to oversee specified risk areas plus “significant risks not explicitly delegated to any other committee of the Board or retained by the Board” with twice-yearly meetings required, while the full board keeps strategy, budget, execution, brand and reputation, M&A and competition.

The committee also formally takes charge of enterprise risk management—risk‑governance structure, risk‑assessment practices, the “overall effectiveness” of ERM, and the company’s “tone and culture” on risk appetite and tolerance, including how those concepts are built into decisions and processes.

Crucially, Risk now receives reports from “corporate audit and compliance staff,” can be asked by Audit to oversee remediation of specific matters, reviews significant legal and regulatory issues and their remediation progress, gets briefings on major examinations and investigations, reviews the risk‑factor sections of the 10‑K and 10‑Q before they go to Audit, and once a year reviews how risks are allocated across the board and committees, recommending changes and joint sessions where oversight overlaps.

On the surface, the February 26 updates look exactly like the kind of post‑crisis blueprint a corporate monitor would want: clearly defined committee remits, formal risk‑factor review roles, and a matrix that covers financial reporting, legal/regulatory risk, culture, technology and incentives without obvious gaps.

But a deeper look into how these governance updates filter into the executive ranks and daily operations raises questions about whether this is a sign of real change at the company or simply compliance theater.

In September 2022, the SEC’s Division of Corporation Finance sent eBay a comment letter on its April 2022 proxy statement. Among other things, the staff asked the company to expand its discussion of board risk oversight and, by way of example, to disclose “whether you have a Chief Compliance Officer and to whom this position reports,” as well as how risk oversight aligns with disclosure controls and procedures.

It was a simple question: do you have a CCO, and where in the org chart does that role sit?

Unfortunately, the answer was anything but simple as Molly Finn, hailed as eBay's first Chief Compliance Officer, was quietly demoted to Deputy General Counsel M&A and Securities in January 2022, leaving an apparent gap in eBay's compliance leadership for over a year and a half.

eBay Loses Compliance, M&A Leader As Molly Finn Leaves Legacy Of Legal & Regulatory Debacles Behind

Once celebrated as eBay’s first Chief Compliance Officer, Molly Finn is departing the company, leaving legacy of legal & regulatory debacles in her wake.

Value Added ResourceLiz Morton

The 2024 Risk Committee charter said the committee would “review periodic reports from the Company’s Chief Compliance Officer” about enhancements and the effectiveness of the compliance risk‑management program. That language was at least a nod toward the structure the SEC had asked the company to explain.

The 2026 Risk charter removes it. There is no longer any mention of a Chief Compliance Officer. Instead, the committee is told to receive reports from “corporate audit and compliance staff” and generic “management.”

Viewed in the context of the cyberstalking DPA and independent compliance monitoring, as well as eBay’s own management history, this change is more than just a stylistic tweak.

Finn's eventual replacement, Ryan Jones, was hired as Chief Risk and Compliance Officer in late 2023 and quietly left the company in October 2025.

His departure showed up on LinkedIn but not in company disclosures and no successor has been publicly identified as of early 2026.

eBay Risk & Compliance Leadership Back in Flux Following Ryan Jones’ Departure

eBay’s Risk and Compliance leadership is again in transition after Ryan Jones’ exit, renewing questions about governance and oversight.

Value Added ResourceLiz Morton

And now, the one charter that used to anchor risk oversight to a named CCO has been scrubbed of that reference.

Notably, Corporate Governance’s new charter goes in the opposite direction. It names the Chief Ethics Officer (currently Aaron Johnson) and Chief Legal Officer (currently Samantha Wellington) by title, tying oversight directly to two specific officers, rather than generic, faceless “staff.”

Net result: ethics and governance are linked to identifiable people, while risk and compliance are linked to nobody in particular - despite the SEC’s 2022 request that the company clarify whether it has a Chief Compliance Officer and how that role reports within the organization.

While Corporate Governance specifically calling out responsible officers by title is a positive move for transparency and oversight, the efficacy of that reporting chain still ultimately relies on the people occupying those positions at any given time.

In 2019, Aaron Johnson was VP Litigation, IP Assets and Site Trust. He was on the internal email chain about the Fidomaster/ unsuckEBAY Twitter account that later became central evidence in the cyberstalking case.

The email chain kicked off with Wenig expressing his desire to see the unsuckEBAY Twitter account shut down - assigning the task to Baugh, with then-Chief Legal Counsel Marie Oh Huber and Wymer copied.

Wymer responded, confirming he had previously discussed the issue with Baugh and explored all angles with Twitter but had been unable to get the account killed.

Oh Huber replied that the Twitter account did not violate copyright laws, that it was protected as parody, and that the legal claim against it was “not actionable under the law,” though outside counsel could still send a letter.

Johnson echoed that view from a litigation perspective, saying the claim was weak and that suing would likely fail and create a “low‑risk” but real chance of backfiring.

Wymer responded with fury: the account was “absolutely unacceptable,” gave him ulcers, and “ANYTHING we can do to solve it should be explored.” He ended with the three words that now summarize the scandal: “Whatever. It. Takes.”

Yet no one on that chain (including Aaron Johnson) appears to have translated Wymer’s “whatever it takes” into a formal ethics or compliance escalation - or if they did, whatever system was in place at the time was clearly not enough to prevent a group of employees from crossing the line into criminal activity.

Johnson was promoted to Chief Ethics Officer in late 2023 and the new Corporate Governance charter says independent directors will now rely on him as one of their primary sources for information about Code compliance, ethics “tone from the top,” and insider‑trading violations.

The stalking scandal wasn't just a case of security employees gone rogue or executives using "inappropriate" tone in their communications - it was a stunning failure of board oversight and governance at every level.

Anchoring ethics in that same orbit undermines the idea that eBay has brought truly fresh eyes into the function, especially since the Corporate Governance and Nominating Committee Johnson will be reporting to is led by Paul Pressler.

The timing of these changes raises even more governance questions and concerns.

eBay did not refresh its board‑committee structure in the immediate aftermath of the scandal, when the DPA was announced in January 2024 or at any time while the civil litigation was pending.

It waited until February 26, 2026 - the day after the Steiners' suit was settled and dismissed.

Had the board revamped its committee structure while the civil case was still active, the changes themselves might have been introduced as evidence that the prior oversight framework was inadequate, a factor that could have influenced how a jury viewed the potential nine-figure punitive damages that were at stake.

Internal analyses of governance failures and draft charters could also have been subject to discovery, potentially forcing directors to explain under oath why those safeguards were not in place in 2019.

Instead, the company gets to show DOJ, the monitor and investors a polished new risk and compliance architecture without having given the Steiners the opportunity to broaden discovery into the board’s deliberations - limiting the governance story to a post‑script, rather than part of the trial narrative.

That timing may reflect savvy litigation strategy, but from a culture perspective, it's harder to spin.

If these changes are truly about preventing another catastrophe, why did the board wait until the last major civil exposure was neutralized before formalizing the very oversight mechanisms it will now likely point to as evidence that “lessons have been learned”?

For anyone judging how deep the change really goes, the fact remains that board‑level “reform” came only after the company had safely taken the threat of a public trial off the table and still leaves key legacy leadership with ties to the scandal in place.

eBay now has every governance talking point a post‑scandal company could want. What it hasn’t shown is that this board is willing to use those tools in a visible way - through clawbacks, refreshed leadership, or ethics decisions that go beyond negotiated exits and carefully framed press releases.

Until that happens, the question for investors and regulators isn’t whether eBay has the right governance structure on paper. It’s whether the board is willing to do the right thing in practice - whatever it takes.