A publicly traded company agreed to pay a $35 million civil money penalty to settle SEC charges of misleading investors by failing to disclose a significant cybersecurity breach in which hackers stole data from over 500 million user accounts. The company, formerly known as Yahoo! Inc. ("Yahoo," now known as Altaba, Inc. after it was acquired by Verizon Communications, Inc. ("Verizon")), was a prominent global Internet media company.
As explained in a Cease-and-Desist Order, the SEC determined that Yahoo became aware in December 2014 of a massive breach in which private user information – including usernames, email addresses, dates of birth, passwords, and security questions and answers – was accessed and stolen by Russian hackers. Despite knowledge of the breach, Yahoo allegedly failed to launch a sufficient investigation as to its scope, business impact and disclosure implications. In addition, Yahoo allegedly failed to inform outside counsel or auditors, and did not report the incident in SEC filings or to the affected users. The SEC found that Yahoo did not inform Verizon of the breach, or of subsequent indications that hackers were continuously targeting Yahoo users, as acquisition talks progressed between the two companies.
Yahoo ultimately disclosed the data breach to the public in September 2016, after which it agreed with Verizon to reduce the acquisition price by $350 million.
Yahoo made no admissions in connection with the settlement.
Commentary / Joseph V. Moreno
This is the SEC's first ever action against a public company for failing to disclose a material data breach – but it certainly will not be its last. The SEC's issue with Yahoo is not that this breach happened in the first place, but that Yahoo was deficient in investigating and disclosing it to its users and the investing public. Despite having been attacked by Russian hackers in one of the largest data breaches in history, Yahoo took nearly two years to adequately flesh out the extent of the attack and notify the public of the event. In the meanwhile, Yahoo continued including generic descriptions of its cybersecurity risk factors and incident history in its Form 10-K and File 10-Q filings, and only reluctantly disclosed it when it became a potential impediment to the Verizon deal. In citing its 2011 cybersecurity risk and incident disclosure guidance, which was recently updated and enhanced, the SEC noted that while good faith disclosure efforts would not be second-guessed, Yahoo's actions fell "substantially short of expectations." With this settlement coming in the wake of last year's Equifax breach, public companies are on notice that the SEC will not take kindly to vanilla descriptions of cybersecurity risk and incidents in public filings and expects companies to take their disclosure obligations seriously. It also further confirms that, despite Yahoo being the target of a sophisticated cyber attack backed by Russian state actors, the argument that this action effectively "blames the victim" clearly fell on deaf ears at the SEC.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
