In a development in an enforcement action that is the first of its kind, the SEC has levied a $35 million penalty against Altaba, Inc. as successor in interest to Yahoo, for Yahoo’s two-year delay in reporting the massive data breach the company experienced in December 2014. Altaba, which neither admitted nor denied any wrongdoing, agreed to pay the penalty as part of the settled resolution of SEC cease-and-desist proceedings. The penalty follows the SEC’s recent release of cybersecurity disclosure guidance for reporting companies and clearly indicates that the agency is increasingly focused on companies’ cybersecurity disclosure practices. The SEC’s April 24, 2018 press release about the penalty can be found here. The SEC’s April 24, 2018 order in the cease-and-desist proceedings can be found here.
As has been previously noted on this blog, Russian hackers accessed millions of Yahoo’s users’ records in a December 2014 breach of Yahoo’s data systems. Even though the information accessed represented what Yahoo internally called its “crown jewels” — usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts – and even though senior management and legal department were aware of the breach, Yahoo did not publicly disclose the breach until September 2016. The ultimate disclosure took place shortly before the intended closing of Verizon’s planned acquisition of Yahoo’s operating business. When the company finally did disclose the breach, the company’s share price fell by 3%, reducing the company’s market capitalization by $1.3 billion. Following the disclosure, Verizon renegotiated the price of the Yahoo operating business acquisition, reducing the price by $350 million, or 7.25 percent.
According to the SEC’s press release, prior to the ultimate disclosure, “Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors.” For two years following the breach, the company failed to disclose the breach and its legal implication, rather disclosing only that it faced the “risk” of a breach. The SEC said Yahoo also failed to have controls in place designed to ensure that the company would respond appropriately to these kinds of developments, including reviewing the need for disclosure
The SEC’s enforcement action against Yahoo and the resulting penalty are both clearly intended to send a message to other reporting companies. The SEC’s press release quotes the co-head of the SEC’s enforcement division as saying that while the agency will not second-guess good faith exercise of business judgment about cyber-incident disclosures, “we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
The regional head of enforcement is also quoted as saying that Yahoo’s failure to have appropriate controls in place left investors in the dark. He added that “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
The facts and circumstances surrounding the Yahoo data breach were also the subject of a separate securities class action lawsuit filed on behalf of investors. As noted here, the securities class action lawsuit settled in March 2018 for $80 million.
The SEC’s announcement of the $35 million Yahoo penalty also follows after the agency’s February 2018 release of cybersecurity disclosure guidance, in which the agency emphasized the importance of cybersecurity disclosure for reporting companies. Among other things the guidelines emphasized the factors companies should consider in deciding whether and when cyber-incidents must be disclosed to investors. The guidelines emphasized the important of internal controls to ensure that company management is fully aware of cyber-incidents when they occur, as well as the importance for managers to have procedures to help guide disclosure decisions.
The SEC’s recent issuance of the guidelines and now the imposition of the $35 million penalty clearly indicate that cyber security related disclosure is an agency priority. The agency is clearly focused on ensuring that investors are fully informed about the cybersecurity issues. Along those lines, the agency’s focus on Yahoo’s delay in reporting the incident clearly shows that the agency expects companies to inform investors and the marketplace about cyber-incidents on a timely basis. The Yahoo proceeding is clearly intended to communicate that the agency intends to hold companies to account when they delay informing investors about cybersecurity incidents. Yahoo may be the first company to face an SEC enforcement action as a result of cybersecurity disclosure issues, but it almost certainly will not be the last.
The larger message here from both the SEC penalty and the earlier securities class action settlement is that cybersecurity represents a significant source of potential legal exposure for companies and their management – and for their insurers. Commentators (including me) have been predicting for years that cybersecurity is going to be one of the important liability exposures for company and their management. It has taken a while, but I think we can say that it is now confirmed. Cybersecurity clearly represents a significant area of D&O liability exposure.