Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors

On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and 2014, but were not disclosed until 2016.[1] The 2014 incident was attributed to Russian hackers by the U.S. government in March 2017.[2]

 The SEC’s administrative proceeding order pointed to Altaba’s delayed disclosure of the 2013–2014 security incident as well as the company’s public filing of multiple reports with the SEC, which commented on the risks and consequences of a breach in general, but did not notify investors that such a threat had already been realized in 2013 and 2014.[3] Unlike previous high-profile fines for improper incident response arising from failures to disclose to affected customers or subjects of breached data, the $35 million fine levied against Altaba is the first of its kind to focus on disclosure to investors of a public company that has suffered a breach, and should encourage companies to direct commensurate focus to their data breach response plans to meet responsibilities to shareholders.

According to the SEC’s release, the fact that the 2013–2014 breaches were reported internally was inadequate, and “Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors.”[4] Additionally, the SEC’s order found inadequacy in the company’s failure to disclose or review mitigation options for the 2013–2014 incidents with its auditors or outside legal counsel, the opinions and advice of which may have materially impacted the annual and quarterly filings made in the time period before the 2013–2014 incidents were eventually disclosed.

Although Altaba did not admit or deny the SEC’s allegations as part of the settlement, the SEC noted that its investigation is ongoing. The settlement and fine is part of a recent trend of increasing SEC activity in the cybersecurity space, with financial penalties having been anticipated for some time. The creation of a cyber unit with the SEC Enforcement Division in 2017 made clear that the SEC intends to increase enforcement efforts against a number of cyber risks, and the interpretive guidance on cybersecurity risk and incident response disclosures that it adopted in late February of this year further demonstrates the SEC’s commitment to take action against improper handling of material non-public information and disclosures regarding a public company’s cybersecurity risks and appropriateness of incident responses (including policies and procedures).[5] In particular, the SEC’s enforcement activity highlights the elevated attention and corporate governance risks posed by cybersecurity.[6] In addition to SEC actions, officers and directors are also facing increasing scrutiny from shareholders following data incidents.

 Join our partner Gerry Stegmaier as he presents at the Practicing Law Institute’s Nineteenth Annual Institute on Privacy and Data Security Law on May 7–8 in San Francisco, June 11–12 in Chicago, or via the web. His presentation, “Cybersecurity Readiness: Understanding the Landscape of Legal Requirements for Proactive Compliance,” will explore board compliance and leadership in the current regulatory and litigation landscape. To register for one of these programs, please click here.