Yesterday, the Securities and Exchange Commission (SEC) announced an important administrative settlement with Altaba (Yahoo) related to the company’s failure to disclose a major security breach to its users and investors. Under the terms of the settlement, the company agreed to pay a $35 million civil money penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.

The SEC alleged that, shortly after the December 2014 intrusion into the company’s systems, the company’s IT staff learned that the hackers had stolen data considered to be the “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts. Although information relating to the breach was reported to the company’s senior management and legal department, the company failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors.  The SEC also alleged that the company’s senior management did not share information regarding the breach with the company’s auditors or outside counsel to assess the company’s disclosure obligations in its public filings.

The facts related to the breach were not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the sale of its operating business to Verizon Communications, Inc., which disclosure triggered a $1.3 billion drop in the company’s market value.

The SEC alleged that Yahoo’s public filings during the two year period until disclosure was made (in September 2016) were materially misleading to investors. Without admitting or denying the SEC’s allegations, the company consented to an order requiring it to cease and desist from further violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act, Section 13(a) of the Securities Exchange Act of 1934 and related SEC rules.

In the SEC’s press release announcing the settlement, a senior SEC Enforcement Division official stated “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted.  This is clearly such a case.”

The settled Yahoo/Altaba action is being viewed, correctly so, as a “message” case. The resolution of the case demonstrates that the SEC’s enforcement energy has been, and will continue to be, increasingly directed at the obligations of public companies to make full and prompt disclosure to the markets when material data breach events take place that impact customers and investors.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Edward B. Whittemore Edward B. Whittemore

Ted Whittemore advises public, private, emerging and nonstock/non-profit businesses on a broad range of corporate, securities and governance matters with a focus on general corporate law, registered and exempt securities offerings, SEC compliance representation, mergers and acquisitions, and corporate finance. Ted has represented…

Ted Whittemore advises public, private, emerging and nonstock/non-profit businesses on a broad range of corporate, securities and governance matters with a focus on general corporate law, registered and exempt securities offerings, SEC compliance representation, mergers and acquisitions, and corporate finance. Ted has represented issuers and investors in public and private offerings of debt and equity securities and has advised securities professionals (broker-dealers, investment advisers, and their personnel) on registration, reporting and other regulatory and compliance matters. He advises public companies with their ongoing regulatory matters, including periodic reporting with the SEC, corporate disclosure and finance, stock exchange listing compliance, short-swing and insider trading matters, proxy regulation and deregistration issues. Ted has represented both buyers and sellers in merger, acquisition and divestiture transactions and has advised directors and officers with respect to their fiduciary obligations under state corporate laws. He also advises clients with respect to the formation, management and on-going operations of privately-held and nonstock/non-profit business entities. Ted has authored or co-authored a number of publications on issues including state corporate laws, SEC regulations, insider trading, securities offerings, financial privacy, and electronic financial services.