The SEC Recently Announced it has Reached a $35 Million Settlement with Altaba Inc. (formerly known as Yahoo! Inc.) – What Does this Settlement Mean for Cyber Enforcement?
The Securities and Exchange Commission (SEC) recently announced that it has reached a $35 million settlement with Altaba Inc. (formerly known as Yahoo! Inc.). The settlement resolves allegations that the company misled investors by failing to timely report its massive 2014 data breach.
The SEC enforcement action is the first to crack down on a public company over inadequate data breach disclosures, but it is unlikely to be the last. “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” Steven Peikin, Co-Director of the SEC Enforcement Division, said in a press statement.
Yahoo’s 2014 Data Breach
In December 2014, Yahoo’s information security team discovered that Russian hackers had stolen what they internally called the company’s “crown jewels.” It included usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.
Although the breach was reported to members of Yahoo’s senior management and legal department, Yahoo did not publicly disclose the breach until more than two years later in 2016, when the company was in the process of closing the acquisition of its operating business by Verizon Communications, Inc. The disclosure of the data breach lowered the value of the company in its acquisition by Verizon Communications, Inc. After Yahoo disclosed the 2014 data breach, Verizon renegotiated the stock purchase agreement to reduce the price paid for Yahoo’s operating business by $350 million, representing a 7.25 percent reduction in price. The fallout from the company’s mismanagement of the breach also resulted in the resignation of the company’s top lawyer.
SEC’s Allegations
In its subsequent enforcement action, the SEC alleged that Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. The SEC’s order specifically determined that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches.
According to the SEC, Yahoo’s disclosure violations continued in connection with a proposed sale of its operating business to Verizon in July 2016. Although Yahoo was aware of additional evidence in the first half of 2016 indicating that its user database had been stolen, Yahoo made affirmative representations denying the existence of any significant data breaches in a July 23, 2016 stock purchase agreement with Verizon, by which Verizon was to acquire Yahoo’s operating business for $4.825 billion.
The SEC’s order also concluded that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
Yahoo neither admitted nor denied the findings in the SEC’s order. However, it will pay $35 million to resolve the allegations.
SEC Cyber Guidance
Earlier this year, SEC published interpretive guidance to help public companies in preparing disclosures about cybersecurity risks and incidents. As discussed in greater detail in a prior article, the SEC guidance emphasized the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the context of cybersecurity.
With regard to disclosure obligations, the SEC advises that a company is required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The guidance advises that the SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.
As highlighted by the SEC, the materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The range of harm, such as reputational harm, financial performance, and a likelihood of litigation, also influences the materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause.
Key Takeaway for Public Companies
The SEC will continue to scrutinize how public companies respond to data breaches and other cyber incidents. We encourage businesses to thoroughly review their cyber policies and procedures to verify that they are equipped to quickly and thoroughly respond to a breach before it occurs.
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
What Does SEC’s Yahoo Settlement Mean for Cyber Enforcement?
Author: Scarinci Hollenbeck, LLC
The SEC Recently Announced it has Reached a $35 Million Settlement with Altaba Inc. (formerly known as Yahoo! Inc.) – What Does this Settlement Mean for Cyber Enforcement?
The Securities and Exchange Commission (SEC) recently announced that it has reached a $35 million settlement with Altaba Inc. (formerly known as Yahoo! Inc.). The settlement resolves allegations that the company misled investors by failing to timely report its massive 2014 data breach.
The SEC enforcement action is the first to crack down on a public company over inadequate data breach disclosures, but it is unlikely to be the last. “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” Steven Peikin, Co-Director of the SEC Enforcement Division, said in a press statement.
Yahoo’s 2014 Data Breach
In December 2014, Yahoo’s information security team discovered that Russian hackers had stolen what they internally called the company’s “crown jewels.” It included usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.
Although the breach was reported to members of Yahoo’s senior management and legal department, Yahoo did not publicly disclose the breach until more than two years later in 2016, when the company was in the process of closing the acquisition of its operating business by Verizon Communications, Inc. The disclosure of the data breach lowered the value of the company in its acquisition by Verizon Communications, Inc. After Yahoo disclosed the 2014 data breach, Verizon renegotiated the stock purchase agreement to reduce the price paid for Yahoo’s operating business by $350 million, representing a 7.25 percent reduction in price. The fallout from the company’s mismanagement of the breach also resulted in the resignation of the company’s top lawyer.
SEC’s Allegations
In its subsequent enforcement action, the SEC alleged that Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. The SEC’s order specifically determined that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches.
According to the SEC, Yahoo’s disclosure violations continued in connection with a proposed sale of its operating business to Verizon in July 2016. Although Yahoo was aware of additional evidence in the first half of 2016 indicating that its user database had been stolen, Yahoo made affirmative representations denying the existence of any significant data breaches in a July 23, 2016 stock purchase agreement with Verizon, by which Verizon was to acquire Yahoo’s operating business for $4.825 billion.
The SEC’s order also concluded that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
Yahoo neither admitted nor denied the findings in the SEC’s order. However, it will pay $35 million to resolve the allegations.
SEC Cyber Guidance
Earlier this year, SEC published interpretive guidance to help public companies in preparing disclosures about cybersecurity risks and incidents. As discussed in greater detail in a prior article, the SEC guidance emphasized the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the context of cybersecurity.
With regard to disclosure obligations, the SEC advises that a company is required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The guidance advises that the SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.
As highlighted by the SEC, the materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The range of harm, such as reputational harm, financial performance, and a likelihood of litigation, also influences the materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause.
Key Takeaway for Public Companies
The SEC will continue to scrutinize how public companies respond to data breaches and other cyber incidents. We encourage businesses to thoroughly review their cyber policies and procedures to verify that they are equipped to quickly and thoroughly respond to a breach before it occurs.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
