The U.S. Securities and Exchange Commission’s recent $35 million settlement over the Yahoo! data breach provides an object lesson in the consequences of failing to publicly disclose a major cyber-attack.
The nation’s top securities regulator imposed the fine on Altaba Inc. — formerly Yahoo! — for not disclosing in a timely manner one of the largest reported hacks in U.S. history, the first action by the Commission for a cybersecurity disclosure violation. Yahoo! was charged with misleading investors by waiting for almost two years to disclose the fact that hackers associated with the Russian Federation stole the personal information of hundreds of millions of Yahoo! users.
Yahoo has acknowledged that the 2014 hacking and a separate incident in 2013 affected 3 billion user accounts.
Although there was no admission of wrongdoing, the agency’s investigation is continuing and Altaba is required to produce documents “ cooperation of … current and former directors, officers, employees and agents....”
The SEC’s complaint charges the company with acting “negligently” in not informing investors earlier of the hack and for filing materially misleading reports with the Commission. The settlement does not rule out further enforcement proceedings.
In its complaint, the SEC alleged that Yahoo’s senior managers and internal legal team were told about the breach but they failed to fully investigate it. “By December 2014, Yahoo’s information security team had determined that hackers had stolen copies of Yahoo’s user data base files … and likely even Yahoo’s entire user database of billions of users … Yahoo’s information security team,” alleged the SEC complaint. “Within days after Yahoo’s information security team reached these conclusions, members of Yahoo’s senior management and legal teams received various internal reports … stating that the theft of hundreds of millions of Yahoo users’ personal information had occurred.”
“Yahoo’s senior management and legal teams did not share the information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings,” said the SEC complaint.
It was not until September 2016 that Yahoo publicly disclosed the breach, shortly before it was to close the sale of its operating unit to Verizon Communications Inc. The day the hack was announced, Yahoo’s stock fell 3 percent. And the tardy disclosure also reduced Verizon’s acquisition cost by $350 million or 7.25 percent.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” said Steven Peikin, co-director of SEC enforcement in a prepared statement. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement actions would be warranted. This is clearly such a case.”
“Yahoo’s failure to have controls and procedures in place to assess its cyber disclosure obligations ended up leaving its investors totally in the dark about the massive data breach,” said the SEC.
In February, the SEC issued long-awaited revised guidance to public companies on the disclosure of cybersecurity risk. The guidance warned companies to make “timely” disclosure of cybersecurity risks and incidents, noting the “grave threat” that cybercrime poses to the capital markets and investing public.
My recent New York Times DealBook piece discusses the dilemma public companies face in announcing a data security incident.
We will continue to report on this evolving area.
By Craig A. Newman of Patterson Belknap Webb & Tyler LLP, a law firm in New York that has a Privacy and Data Security Practice. Read more Patterson Belknap blogs here.