Yesterday, the Securities and Exchange Commission (SEC) announced an important administrative settlement with Altaba (Yahoo) related to the company’s failure to disclose a major security breach to its users and investors. Under the terms of the settlement, the company agreed to pay a $35 million civil money penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.
The SEC alleged that, shortly after the December 2014 intrusion into the company’s systems, the company’s IT staff learned that the hackers had stolen data considered to be the “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts. Although information relating to the breach was reported to the company’s senior management and legal department, the company failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. The SEC also alleged that the company’s senior management did not share information regarding the breach with the company’s auditors or outside counsel to assess the company’s disclosure obligations in its public filings.
The facts related to the breach were not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the sale of its operating business to Verizon Communications, Inc., which disclosure triggered a $1.3 billion drop in the company’s market value.
The SEC alleged that Yahoo’s public filings during the two year period until disclosure was made (in September 2016) were materially misleading to investors. Without admitting or denying the SEC’s allegations, the company consented to an order requiring it to cease and desist from further violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act, Section 13(a) of the Securities Exchange Act of 1934 and related SEC rules.
In the SEC’s press release announcing the settlement, a senior SEC Enforcement Division official stated “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
The settled Yahoo/Altaba action is being viewed, correctly so, as a “message” case. The resolution of the case demonstrates that the SEC’s enforcement energy has been, and will continue to be, increasingly directed at the obligations of public companies to make full and prompt disclosure to the markets when material data breach events take place that impact customers and investors.