For the first time, the SEC has charged a public company for failing to properly inform investors about a cybersecurity breach. Altaba, formerly known as Yahoo! Inc., agreed to pay a $35 million penalty to settle SEC charges that it failed to disclose one of the world’s largest data breaches, which resulted in the theft of personal data of hundreds of millions of Yahoo’s user accounts (In the Matter of Altaba, Inc., f/d/b/a/ Yahoo! Inc., Release No. 33-1485, April 24, 2018).
Cyber breach. In late 2014, Yahoo became aware that its information technology networks and systems had suffered a severe and widespread intrusion by hackers associated with the Russian Federation. By December 2014, Yahoo’s information security team determined that the hackers had stolen personal data of at least 108 million users and possibly its entire database of billions of users. The information security team found that the stolen data files included what it referred to as "crown jewels," such as user names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. The hackers had also gained access to the email accounts of 26 Yahoo users who had been specifically targeted because of their Russia connections.
Failure to disclose. According to the SEC, instead of disclosing the massive data breach in its public filings, the Yahoo merely stated in its risk factor disclosures that a significant data breach had not yet occurred and that it only faced the risk of data breaches in the future.
In the summer of 2016, Yahoo began negotiations to sell its operating business to Verizon Communications, Inc. The SEC alleged that Yahoo created a spreadsheet that falsely represented to Verizon that it was aware of only four "minor breaches" involving the exposure of users’ personal information. In July 2016, Yahoo entered into a stock purchase agreement with Verizon in which it affirmatively represented that there had been no incidents of security breaches or theft or misuse of any personal data in Yahoo’s possession.
Data breach comes to light. Yahoo finally disclosed the 2014 breach on September 22, 2016 in a press release attached to a Form 8-K and to Verizon. Following this disclosure, Yahoo’s market capitalization fell nearly $1.3 billion. Yahoo and Verizon renegotiated the terms of the sale of Yahoo’s operating business, including a reduction in the acquisition price of $350 million, or a 7.25 percent discount. Yahoo also amended its previous filings to reflect that the data breach had occurred and that the company’s disclosure controls and procedures were not effective. After the breach was revealed, Sen. Mark Warner (D-Va) called on the SEC to investigate whether Yahoo had failed to meet its disclosure obligations regarding the breach.
Charges and settlement. According to the SEC, Yahoo’s senior management and legal staff did not properly assess the scope, business impact, or legal implications of the data breach. Its senior management and legal teams also did not share information about the breach with the company’s outside auditors or outside counsel. The only users who were notified of the breach were the 26 users whose email accounts had been accessed.
The SEC also alleged that after the 2014 breach, Yahoo’s information security team determined that the same hackers continued to attack Yahoo’s user database and that information likely had been stolen by nation-state actors that could expose the information on the dark web. According to the SEC, even though Yahoo’s chief information security officer informed at least one senior member of Yahoo’s management about these conclusions during the Verizon negotiations, Yahoo affirmatively represented that it was unaware of any security breaches.
Yahoo was charged with violating the antifraud provisions of the Securities Act as well as violating several Exchange Act rules relating to the filing of accurate periodic and current reports and maintaining proper disclosure controls and procedures.
In addition to the $35 million penalty, Yahoo agreed to cease and desist from further violations. In the SEC’s order instituting administrative proceedings, it noted that in determining to accept Yahoo’s offer of settlement, it considered that Yahoo had agreed to several undertakings, including cooperating with the SEC in future investigations arising from the matter. The order also notes that the SEC is not imposing a heftier penalty due to its agreement to cooperate with the Commission. In a press call with reporters, Enforcement Co-Director Steve Peikin noted that the SEC is still conducting its investigation and that it has not made any decisions regarding the conduct of individuals, including Yahoo officers and other corporate representatives, and declined to comment on that aspect of the continuing investigation.
Observing that the staff is aware of the challenges that companies face when it comes to cyber attacks that involve difficult judgement calls about whether, when, and how to disclose these breaches, Peikin stressed that the allegations against Yahoo amounted to a "complete corporate failure" to disclose a data breach that was widely known within the company and was in part the result of the absence of adequate disclosure controls and procedures. The staff does not want to second-guess good faith judgments, but that was not the case here, Peikin advised.
"This should serve as a message to other companies that they should have the appropriate procedures in place for assessing the impact of cyber breaches on their disclosures," Peikin said.
Yahoo did not admit or deny the SEC’s findings.
The release is No. 33-1485.
Companies: Altaba, Inc., f/d/b/a/ Yahoo! Inc.
MainStory: TopStory CyberPrivacyFeed Enforcement FormsFilings FraudManipulation MergersAcquisitions PublicCompanyReportingDisclosure SECNewsSpeeches
Interested in submitting an article?
Submit your information to us today!Learn More