April 27, 2018

SEC Fines Yahoo $35 Million for Failure to Disclose 2014 Data Breach

In its first enforcement action against a public company for deficient data breach disclosures, the Securities and Exchange Commission (“SEC” or “the Commission”) imposed a $35 million penalty and cease-and-desist order (the “Order”) against Altaba Inc., the company formerly known as Yahoo (“Yahoo” or “the Company”), for misleading investors by waiting nearly two years to acknowledge a massive computer breach conducted by Russian hackers in 2014 (the “2014 Breach”). Yahoo eventually disclosed the 2014 Breach, which impacted the personal information of over 500 million Yahoo user accounts, in 2016. The settled Order, issued on April 24, 2018, charges Yahoo with negligence-based fraud, and violations of the periodic filing and disclosure control regulations based on Yahoo’s material misstatements and omissions regarding the 2014 Breach.1 The Order is consistent with the Commission’s recent interpretative guidance regarding cybersecurity disclosures and controls, and gives muscle to the SEC’s position that companies are required to disclose material cyber risks and incidents, and maintain effective disclosure controls.2

Underlying Misconduct

The Order is based on Yahoo’s failure to disclose the 2014 Breach – which is one of the largest known data breaches in history – for more than two years, despite its contemporaneous knowledge of the breach. Yahoo’s information security team identified the breach within days, and immediately reported it to members of Yahoo’s senior management and legal teams. The Order notes that Yahoo also did not share information regarding the breach with its auditors or outside counsel in order to assess the Company’s disclosure obligations in its public filings, and continued to file annual and quarterly reports that disclosed only the risk of potential data breaches, misleadingly suggesting that a significant data breach had not already occurred. As a consequence, Yahoo’s risk factor disclosures in its annual and quarterly reports and its management’s discussion were misleading, and its analysis of financial condition and results of operations in those reports was misleading to the extent it omitted known trends or uncertainties with regard to liquidity or net revenue presented by the 2014 Breach. Moreover, in connection with Yahoo’s proposed sale of its operating business to Verizon Communications, Inc. (“Verizon”) in July 2016, Yahoo falsely represented in its Stock Purchase Agreement, that was filed in a Form 8-K with the SEC, that it was unaware of any material security breaches.

When Yahoo finally disclosed the breach – on September 22, 2016, more than two years after it had occurred – Yahoo’s market capitalization fell nearly $1.3 billion, a 3% drop in share price. The public disclosure also resulted in a $350 million reduction in Yahoo’s sale price to Verizon – a discount of 7.25%.

Import of Precedential Order

The proceeding against Yahoo is the first SEC enforcement action against a public company for deficient cybersecurity disclosures and disclosure controls. Reinforcing the recent SEC guidance on cybersecurity disclosures, the SEC’s Director of its San Francisco Regional Office noted that, “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”

It is noteworthy that the SEC charged Yahoo with negligence-based fraud under Sections 17(a)(2) and 17(a)(3) of the Securities Act, and obtained a substantial penalty of $35 million, placing the settlement among the top 10 negligence-based disclosure settlements in actions brought by the SEC. In addition to the large penalty, the Order requires the Company to fully cooperate with the SEC in all investigations, litigation or other proceedings arising from the 2014 Breach; produce, on request, all non-privileged documents and/or appropriate privilege logs; and use its best efforts to secure the cooperation of current and former directors and officers. This cooperative undertaking signals that additional charges may be forthcoming. To date no individuals at Yahoo have been charged in connection with the 2014 Breach. Interestingly, the Order does not address an earlier data breach in 2013 that ultimately affected over three billion Yahoo users (the “2013 Breach”). When Yahoo disclosed the 2013 Breach in December 2016 (several months after its disclosure of the 2014 Breach), its stock price fell 6%.

Overall, the Order against Yahoo illustrates that while the SEC will not “second-guess good faith exercises of judgment about cyber-incident disclosure,” there are “instances where a company’s response to such an event could be so lacking that an enforcement action could be warranted.”3 The terms of the settlement punctuate the SEC’s commitment to ensuring that public companies have adequate cybersecurity policies and procedures in place to assess disclosure of material cybersecurity risks and data breaches, and make reasonable disclosure of material cybersecurity risks and incidents in filings before the Commission.

Click here to download this article here.

The SEC charged Yahoo with violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15 thereunder.

To read more about the Guidance, see our prior alert on February 27, 2018.

Steven Peikin, Co-Director of the SEC Enforcement Division, Apr. 24, 2018 Press Release.