The SEC Recently Announced it has Reached a $35 Million Settlement with Altaba Inc. (formerly known as Yahoo! Inc.) – What Does this Settlement Mean for Cyber Enforcement?
The Securities and Exchange Commission (SEC) recently announced that it has reached a $35 million settlement with Altaba Inc. (formerly known as Yahoo! Inc.). The settlement resolves allegations that the company misled investors by failing to timely report its massive 2014 data breach.
The SEC enforcement action is the first to crack down on a public company over inadequate data breach disclosures, but it is unlikely to be the last. “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” Steven Peikin, Co-Director of the SEC Enforcement Division, said in a press statement.
Yahoo’s 2014 Data Breach
In December 2014, Yahoo’s information security team discovered that Russian hackers had stolen what they internally called the company’s “crown jewels.” It included usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.
Although the breach was reported to members of Yahoo’s senior management and legal department, Yahoo did not publicly disclose the breach until more than two years later in 2016, when the company was in the process of closing the acquisition of its operating business by Verizon Communications, Inc. The disclosure of the data breach lowered the value of the company in its acquisition by Verizon Communications, Inc. After Yahoo disclosed the 2014 data breach, Verizon renegotiated the stock purchase agreement to reduce the price paid for Yahoo’s operating business by $350 million, representing a 7.25 percent reduction in price. The fallout from the company’s mismanagement of the breach also resulted in the resignation of the company’s top lawyer.
SEC’s Allegations
In its subsequent enforcement action, the SEC alleged that Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. The SEC’s order specifically determined that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches.
According to the SEC, Yahoo’s disclosure violations continued in connection with a proposed sale of its operating business to Verizon in July 2016. Although Yahoo was aware of additional evidence in the first half of 2016 indicating that its user database had been stolen, Yahoo made affirmative representations denying the existence of any significant data breaches in a July 23, 2016 stock purchase agreement with Verizon, by which Verizon was to acquire Yahoo’s operating business for $4.825 billion.
The SEC’s order also concluded that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
Yahoo neither admitted nor denied the findings in the SEC’s order. However, it will pay $35 million to resolve the allegations.
SEC Cyber Guidance
Earlier this year, SEC published interpretive guidance to help public companies in preparing disclosures about cybersecurity risks and incidents. As discussed in greater detail in a prior article, the SEC guidance emphasized the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the context of cybersecurity.
With regard to disclosure obligations, the SEC advises that a company is required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The guidance advises that the SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.
As highlighted by the SEC, the materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The range of harm, such as reputational harm, financial performance, and a likelihood of litigation, also influences the materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause.
Key Takeaway for Public Companies
The SEC will continue to scrutinize how public companies respond to data breaches and other cyber incidents. We encourage businesses to thoroughly review their cyber policies and procedures to verify that they are equipped to quickly and thoroughly respond to a breach before it occurs.
Crypto Enforcement: A Former Prosecutor’s Warning to Criminals and the Public
Cryptocurrency intimidates most people. The reason is straightforward. People fear what they do not understand. When confusion sets in, the common reaction is either to ignore the subject entirely or to mistrust it. For years, that is exactly how most of the public and even many in law enforcement treated cryptocurrency. However, such apprehension changed […]
Understanding Chattel Paper: A Key Component in Secured Transactions
Using chattel paper to obtain a security interest in personal property is a powerful tool. It can ensure lenders have a legal claim on collateral ranging from inventory to intellectual property. To reduce risk and protect your legal rights, businesses and lenders should understand the legal framework. This framework governs the creation, sale, and enforcement […]
For years, digital assets operated in a legal gray area, a frontier where innovation outpaced the reach of regulators and law enforcement. In this early “Wild West” phase of finance, crypto startups thrived under minimal oversight. That era, however, is coming to an end. The importance of crypto compliance has become paramount as cryptocurrency has […]
Supreme Court and Title VII: Implications for Reverse Discrimination
Earlier this month, the U.S. Supreme Court issued a decision in Ames v. Ohio Department of Youth Services vitiating the so-called “background circumstances” test required by half of federal circuit courts.1 The background circumstances test required majority group plaintiffs pleading discrimination under Title VII of the Civil Rights Act to meet a heightened pleading standard […]
Special purpose acquisition companies (better known as SPACs) appear to be making a comeback. SPAC offerings for 2025 have already nearly surpassed last year’s totals, with additional transactions in the pipeline. SPACs last experienced a boom between 2020–2021, with approximately 600 U.S. companies raising a record $163 billion in 2021. Notable companies that went public […]
Short Form Merger: Streamlining the Process for Businesses
Merging two companies is a complex legal and business transaction. A short form merger, in which an acquiring company merges with a subsidiary corporation, offers a more streamlined process that involves important corporate governance considerations. A short form merger, in which an acquiring company merges with a subsidiary corporation, offers a more streamlined process. However, […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
