The SEC Recently Announced it has Reached a $35 Million Settlement with Altaba Inc. (formerly known as Yahoo! Inc.) – What Does this Settlement Mean for Cyber Enforcement?
The Securities and Exchange Commission (SEC) recently announced that it has reached a $35 million settlement with Altaba Inc. (formerly known as Yahoo! Inc.). The settlement resolves allegations that the company misled investors by failing to timely report its massive 2014 data breach.
The SEC enforcement action is the first to crack down on a public company over inadequate data breach disclosures, but it is unlikely to be the last. “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” Steven Peikin, Co-Director of the SEC Enforcement Division, said in a press statement.
Yahoo’s 2014 Data Breach
In December 2014, Yahoo’s information security team discovered that Russian hackers had stolen what they internally called the company’s “crown jewels.” It included usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts.
Although the breach was reported to members of Yahoo’s senior management and legal department, Yahoo did not publicly disclose the breach until more than two years later in 2016, when the company was in the process of closing the acquisition of its operating business by Verizon Communications, Inc. The disclosure of the data breach lowered the value of the company in its acquisition by Verizon Communications, Inc. After Yahoo disclosed the 2014 data breach, Verizon renegotiated the stock purchase agreement to reduce the price paid for Yahoo’s operating business by $350 million, representing a 7.25 percent reduction in price. The fallout from the company’s mismanagement of the breach also resulted in the resignation of the company’s top lawyer.
SEC’s Allegations
In its subsequent enforcement action, the SEC alleged that Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. The SEC’s order specifically determined that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches.
According to the SEC, Yahoo’s disclosure violations continued in connection with a proposed sale of its operating business to Verizon in July 2016. Although Yahoo was aware of additional evidence in the first half of 2016 indicating that its user database had been stolen, Yahoo made affirmative representations denying the existence of any significant data breaches in a July 23, 2016 stock purchase agreement with Verizon, by which Verizon was to acquire Yahoo’s operating business for $4.825 billion.
The SEC’s order also concluded that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
Yahoo neither admitted nor denied the findings in the SEC’s order. However, it will pay $35 million to resolve the allegations.
SEC Cyber Guidance
Earlier this year, SEC published interpretive guidance to help public companies in preparing disclosures about cybersecurity risks and incidents. As discussed in greater detail in a prior article, the SEC guidance emphasized the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures, insider trading prohibitions, and Regulation FD and selective disclosure prohibitions in the context of cybersecurity.
With regard to disclosure obligations, the SEC advises that a company is required to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading.” The guidance advises that the SEC considers omitted information to be material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.
As highlighted by the SEC, the materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The range of harm, such as reputational harm, financial performance, and a likelihood of litigation, also influences the materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause.
Key Takeaway for Public Companies
The SEC will continue to scrutinize how public companies respond to data breaches and other cyber incidents. We encourage businesses to thoroughly review their cyber policies and procedures to verify that they are equipped to quickly and thoroughly respond to a breach before it occurs.
Corporate Consolidation and Antitrust Issues in Mergers
Corporate consolidation involves two or more businesses merging to become a single larger entity. The result is often a stronger and more competitive company that can better navigate today’s competitive marketplace. What Is Corporate Consolidation? Corporate consolidation closely resembles a basic merger transaction. The primary difference is that a consolidation creates an entirely new business […]
Business law plays a critical role in nearly every aspect of running a successful enterprise, from negotiating a commercial lease to drafting employee policies to fulfilling corporate disclosure obligations. Understanding what is business law and your legal obligations can help your business run smoothly and build productive relationships with clients, business partners, regulators, and others. […]
Corporate Transactions: Best Practices for Successful Deals
Corporate transactions can have significant implications for a corporation and its stakeholders. For deals to be successful, companies must act strategically to maximize value and minimize risk. It is also important to fully understand the legal and financial ramifications of corporate transactions, both in the near and long term. Understanding Corporate Transactions The term “corporate […]
How to Conduct a Fair and Legal Employee Termination in 2025
Ongoing economic uncertainty is forcing many companies to make tough decisions, which includes lowering staff levels. The legal landscape on both the state and federal level also continues to evolve, especially with significant changes to the priorities of the Equal Employment Opportunity Commission (“EEOC”) under the Trump Administration. Terminating an employee is one of the […]
Admin Dissolution for Annual Report: What You Need to Know
While filing annual reports may seem like a nuisance, failing to do so can have significant ramifications. These include fines, reputational harm, and interruption of your business operations. In basic terms, “admin dissolution for annual report” means that a company is dissolved by the government. This happens because it failed to submit its annual report […]
Antitrust laws are designed to ensure that businesses compete fairly. There are three federal antitrust laws that businesses must navigate. These include the Sherman Act, the Federal Trade Commission Act, and the Clayton Act. States also have their own antitrust regimes. These may vary from federal regulations. Understanding antitrust litigation helps businesses navigate these complex […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
Let`s get in touch!
Sign up to get the latest from the Scarinci Hollenbeck, LLC attorneys!
