The Securities and Exchange Commission (SEC) announced on Tuesday that it has brought an enforcement action and reached a $35 million settlement with Altaba Inc., the successor in interest to Yahoo! Inc. The civil penalty against Altaba is the first of its kind and—following closely on the heels of the SEC’s recent interpretive guidance—is further confirmation of the agency’s increasing focus on public companies’ cybersecurity disclosure obligations.
The enforcement action arises out of a December 2014 breach in which third-party criminals stole data associated with hundreds of millions of Yahoo user accounts. Even though the breach was reported to members of Yahoo’s senior management and its legal department, Yahoo did not publicly disclose the breach until September 2016, shortly before the anticipated close of Verizon’s acquisition of the company. Yahoo’s stock price dropped approximately 3% following the announcement, and Verizon thereafter renegotiated the acquisition, reducing the purchase price by $350 million, or 7.25%.
The SEC’s order instituting cease-and-desist proceedings against the company finds that Yahoo made several materially misleading statements and/or omissions following the data breach, including in its risk factor disclosures that “claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users’ personal information … without disclosing that a massive data breach had in fact already occurred.” The order also highlights Yahoo’s statements in the publicly filed stock purchase agreement with Verizon, which contained “representations denying the existence of any significant data breaches.”
The order further finds that—although Yahoo senior management and legal staff were aware of the intrusion—they failed to “properly assess the scope, business impact, or legal implications of the breach, including how and where [it] should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading.” The SEC notes in particular that management did not share information about the breach with the company’s auditors or outside counsel. The order concludes that the company failed to maintain sufficient controls and procedures to ensure that reports from the company’s internal information security team were properly assessed to determine whether and how a cybersecurity incident should be publicly disclosed.
The SEC’s message in this watershed release is clear: while the agency maintains that it will not “second-guess good faith exercises of judgment about cyber-incident disclosure,” public companies “should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” Absent those controls and procedures, public companies remain vulnerable to future enforcement actions.