The Securities and Exchange Commission (SEC) recently announced that it has reached a $35 million settlement with Altaba Inc. (formerly known as Yahoo! Inc.). The settlement resolves allegations that the company misled investors by failing to timely report its massive 2014 data breach.

The SEC enforcement action is the first to crack down on a public company over inadequate data breach disclosures, but it is unlikely to be the last. “We do not second-guess good faith exercises of judgment about cyber-incident disclosure.  But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted.  This is clearly such a case,” Steven Peikin, Co-Director of the SEC Enforcement Division, said in a press statement.

Yahoo’s 2014 Data Breach

In December 2014, Yahoo’s information security team discovered that Russian hackers had stolen what they internally called the company’s “crown jewels.” It included usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.

Although the breach was reported to members of Yahoo’s senior management and legal department, Yahoo did not publicly disclose the breach until more than two years later in 2016, when the company was in the process of closing the acquisition of its operating business by Verizon Communications, Inc. The disclosure of the data breach lowered the value of the company in its acquisition by Verizon Communications, Inc. After Yahoo disclosed the 2014 data breach, Verizon renegotiated the stock purchase agreement to reduce the price paid for Yahoo’s operating business by $350 million, representing a 7.25 percent reduction in price. The fallout from the company’s mismanagement of the breach also resulted in the resignation of the company’s top lawyer. 

SEC’s Allegations

In its subsequent enforcement action, the SEC alleged that Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. The SEC’s order specifically determined that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches.  

According to the SEC, Yahoo’s disclosure violations continued in connection with a proposed sale of its operating business to Verizon in July 2016. Although Yahoo was aware of additional evidence in the first half of 2016 indicating that its user database had been stolen, Yahoo made affirmative representations denying the existence of any significant data breaches in a July 23, 2016 stock purchase agreement with Verizon, by which Verizon was to acquire Yahoo’s operating business for $4.825 billion.

The SEC’s order also concluded that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.

Yahoo neither admitted nor denied the findings in the SEC's order. However, it will pay $35 million to resolve the allegations.

SEC Cyber Guidance

Earlier this year, SEC published interpretive guidance to help public companies in preparing disclosures about cybersecurity risks and incidents. As discussed in greater detail in a prior article, the SEC guidance emphasized the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the context of cybersecurity.

With regard to disclosure obligations, the SEC advises that a company is required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The guidance advises that the SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.

As highlighted by the SEC, the materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The range of harm, such as reputational harm, financial performance, and a likelihood of litigation, also influences the materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause.

Key Takeaway for Public Companies

The SEC will continue to scrutinize how public companies respond to data breaches and other cyber incidents. We encourage businesses to thoroughly review their cyber policies and procedures to verify that they are equipped to quickly and thoroughly respond to a breach before it occurs.