Ever since the SEC released its cyber security disclosure guidelines in October 2011, commentators (including me) have been speculating whether the agency might try to nab a company whose disclosure practices the agency might use as sort of a test case on the guidelines’ requirements. It now appears, at least based on media reports, the SEC is investigating Yahoo in what may yet become the long-anticipated test case. According to a front page January 23, 2017 Wall Street Journal article (here), the SEC has opened an investigation looking into Yahoo, Inc.’s disclosures of two massive data breaches the company reported last year.
As discussed in detail here, Yahoo announced two data breaches during 2016. The first, which Yahoo announced in September 2016, took place sometime during 2014, and resulted in hackers obtaining data from over 500 million user accounts. A separate data breach, which apparently took place during 2013 but that Yahoo first announced in December 2016, affected over 1 billion user accounts.
According to the Journal article, the SEC is now investigating whether the company should have disclosed the breaches to investors sooner. The article further reports that the agency is looking at whether or not the company’s disclosures about the cyberattacks comply with civil securities laws. The article states that in December the agency issues requests for documents, in support of its investigation.
Among other things, the agency is looking at why the company did not report the 2014 breach until September 2016, despite, the Journal reports, “having linked the incident to state-sponsored hackers two years earlier.” The company has not yet offered any explanation for the apparent delay.
The company’s seemingly belated breach disclosures also came after the company’s July 25, 2017 announcement that it would be selling its core business to Verizon Communications. On January 23, 2017, Yahoo announced, as part of its quarterly earnings release, that the Verizon transaction, which had been expected to close in the first quarter of 2017, has now been pushed back the second quarter of 2017, adding that it is “working expeditiously to close the transaction as soon as practicable in Q2.” According to the Journal, Verizon is studying whether the breach caused a drop in Yahoo’s user base or other negative effects before making a decision about how to proceed with the deal.
To be sure, Yahoo is not the first company whose data breach disclosures that the SEC has investigated. The Journal article reports that the agency previously investigated “multiple companies” regarding their data breach disclosures, including Target Corp. in connection with its December 2013 data breach. The agency ultimately did not bring an enforcement action against Target.
Just the same, the Journal suggests that the SEC’s investigation of Yahoo could represent a “major test in defining when a company is required to disclose a hack,” adding that, according to unnamed legal experts, the agency “has been looking for a case to clarify what type of conduct would run afoul of the guidance the agency issued in 2011.” The article also cites former SEC lawyers as saying that the “Yahoo scenario” appears to provide a “clearer set of circumstances than past circumstances provided.”
The question the agency likely will be examining is whether Yahoo’s apparent delays in reporting the breaches ran afoul of the requirements specified in the 2011 guidelines that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.”
As the Journal article notes, if the SEC were to bring a case against Yahoo, it could “make clearer to other companies what type of disclosures it views as potentially violating the law in this area.” An SEC case against Yahoo “could help clarify rules over timing because the guidance doesn’t lay out detailed requirements.”
The news about the SEC’s investigation of Yahoo comes at an interesting time in the evolution of the liability exposures facing companies that have experienced a significant data breach.
The highest-profile data breach-related shareholder derivative lawsuits that plaintiffs’ lawyer have filed in recent years have proven to be unsuccessful. The cases filed against Wyndham Worldwide, Target and, most recently, Home Depot all were dismissed. To be sure, shortly after the third of these three cases was dismissed, a plaintiff shareholder did file a data breach-related derivative lawsuit against the directors of Wendy’s (as discussed here). But so far at least, these derivative lawsuits have fared poorly, suggesting that plaintiffs’ lawyer are still looking for the way they might make money suing the directors and officers of companies that have experienced data breaches.
The possibility that the plaintiffs’ lawyers might file a data breach-related disclosure-related securities lawsuit against the company has always been present. (Indeed, in 2009, plaintiff shareholders did file a securities class action lawsuit against Heartland Payment Systems; that case ultimately was dismissed). Up until this point, the plaintiffs lawyers have seemed more inclined to pursue derivate lawsuits, rather than securities class action lawsuits, likely because many data breach announcements do not result in share price declines.
It remains to be seen whether or not the SEC will bring any type of action against Yahoo. It also remains to be seen whether any action the SEC might bring against Yahoo might result in any clarification about the agency’s disclosure guidelines. However, if an action against Yahoo (if ultimately filed) provides some clarification of its data breach disclosure guidelines, the clarification could prove useful for plaintiffs’ lawyers seeking to pursue claims against other data breach companies. The problems for plaintiffs that the lack of share price decline represents will not go away, but more specific disclosure expectations could nevertheless prove helpful for prospective plaintiffs.
Even though the data breach derivative lawsuits thus far have been unsuccessful, I remain unconvinced that we are anywhere near the point at which we can conclude that companies that have been hit with a data breach don’t have to worry about D&O lawsuits. The plaintiffs’ lawyers are too entrepreneurial and opportunistic, and the incentives are too great, for the lawyers to just go away. I expect they will continue to experiment, as they seem to be doing, for example, with the recent data breach-related lawsuit against Wendy’s. I expect that if there were to be a data breach-related enforcement action brought against Yahoo, any clarification the action provides with respect to the SEC’s data breach disclosure requirements likely will become the part of a subsequent experiment.
Take Control of Your Cybersecurity: Readers interested in these cybersecurity topics will want to be sure to read the accompanying post in which I review the recently published book by Paul A. Ferrillo of the Weil Gotshal law firm and Christophe Veltsos of Minnesota State University, Mankato, entitled “Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives.”