Sec Enforcement News: In First Of Its Kind, Sec Imposes Penalty On Company Over Data Breach Disclosures

• Posted on: Apr 30 2018

On April 24, 2018, the Securities Exchange Commission (“SEC” or “Commission”) announced that Altaba, Inc. (“Altaba”), the successor in interest to Yahoo! Inc. (“Yahoo”), agreed to pay $35 million to settle charges that it misled investors by failing to disclose that hundreds of millions of user accounts had been hacked, resulting in the theft of sensitive user personal data. (Here.)

The settlement follows the issuance of the SEC’s cybersecurity disclosure guidance for reporting companies. (The SEC’s release of the guidance can be found here.) Issued in February 2018, the guidance provides information to public companies to assist in the disclosure of cybersecurity risks and incidents (here).  Among other things, the guidelines identify the factors companies should consider in deciding whether and when cyber-incidents must be disclosed to investors. The guidelines emphasize the importance of maintaining adequate internal controls to ensure that company management is aware of cyber-incidents when they occur, as well as the importance for managers to maintain procedures to help guide disclosure decisions.

In late 2014, Yahoo had learned of a massive breach of its user database that resulted in the theft, unauthorized access, or acquisition of hundreds of millions of its users’ personal data. As noted in the SEC’s cease-and-desist-order (the “Order”) (here), at that time, Yahoo’s internal information security team became aware that the company’s information technology networks and systems had suffered a severe and widespread intrusion by hackers associated with the Russian Federation.

By December 2014, Yahoo’s information security team, including its Chief Information Security Officer (“CISO”), had determined that the hackers had stolen the personal data of at least 108 million users, and likely even Yahoo’s entire user database of billions of users. The personal data in the stolen files included highly sensitive information that Yahoo’s information security team referred to as Yahoo’s “crown jewels”: “Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers.” Yahoo’s information security team, including the CISO, also concluded that “the hackers had successfully gained access to a separate source of data: the email accounts of 26 Yahoo users specifically targeted by the hackers because of their connections to Russia.”

Despite its knowledge of the 2014 data breach, Yahoo did not disclose the data breach in its public filings for nearly two years. In September 2016, Yahoo issued a press release in which it disclosed the data breach to investors; the release was attached to a Form 8-K filed in connection with the proposed sale of Yahoo’s operating business to Verizon Communications, Inc. (“Verizon”).  The day after Yahoo publicly disclosed the data breach, the price of Yahoo’s stock declined by 3%, causing the company’s market capitalization to fall by nearly $1.3 billion. As a consequence, Verizon renegotiated the stock purchase agreement to reduce the price paid for Yahoo’s operating business by $350 million, representing a 7.25% reduction in price.

“We do not second-guess good faith exercises of judgment about cyber-incident disclosure.  But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted.  This is clearly such a case,” said Steven Peikin, Co-Director of the SEC Enforcement Division.

In the Order, the SEC found that Yahoo filed several quarterly and annual reports during the two-year period following the breach but failed to disclose the breach or its potential business impact and legal implications.  Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches.  In addition, the SEC found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.  Finally, the SEC found that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber-breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.

“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” added Jina Choi, Director of the SEC’s San Francisco Regional Office. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

The facts and circumstances relating to the Yahoo data breach were also the subject of a securities class action lawsuit that investors brought in 2017. In March 2018, the class action lawsuit settled for $80 million.

Last year, the U.S. Department of Justice announced charges against four men, including two officers in Russia’s Federal Security Service, for their roles in the theft of 500 million Yahoo accounts. (Here.)

In agreeing to the settlement, Altaba neither admitted nor denied any wrongdoing.

The SEC’s investigation into the matter remains ongoing.

Takeaway

The Altaba settlement represents the first time the SEC has investigated and determined to commence an enforcement proceeding against a company for failing to disclose a cybersecurity breach. Combined with the recent guidance on the disclosure of cybersecurity risks and incidents, the settlement indicates that cybersecurity disclosure and internal control procedures are a priority for the Commission. Steven Peikin, co-director of the SEC’s enforcement division, confirmed this view, noting that cybersecurity disclosure and controls were a priority for the agency and that the Commission hoped companies facing issues similar to those experienced by Altaba would take note: “The message in this case and the package of remedies here I think is a pretty strong one and I hope will be viewed as a significant penalty by other issuers.”

Considering the Commission’s stated priority, it seems certain that other companies with similar issues as Yahoo will be the subject of an SEC investigation and possible enforcement action. Add to this likely consequence the commencement of securities class action lawsuits over disclosure deficiencies, and it is certain that management and their companies will face liability exposure for years to come.