On April 24, 2018 the SEC announced a settlement of a penalty proceeding against the successor to Yahoo, Altaba, Inc., for Yahoo’s handling of the 2014 data breach that compromised the information of hundreds of millions of users.
The data breach came to light in the midst of negotiations for the acquisition of Yahoo by Verizon. A second breach, in 2016, came to light a short time thereafter.
The SEC proceedings centered upon the disclosure of the breach, or lack thereof, rather than the cyber-attack itself, which the SEC noted was attributed to Russian operatives. The SEC Press Release notes that the SEC found that “when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the company’s SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches. In addition, the SEC’s order found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.”
The Commission, which had not previously been very active in cybersecurity enforcement, has now served notice that it will act with regard to the regulations concerning notice of cybersecurity events but also, perhaps more significantly, with regard to absence of required digital information safeguards. Jina Choi, Director of the SEC’s San Francisco office, was quoted in the Press Release stating , “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”
Clearly, there is a new sheriff in town when it comes to cybersecurity enforcement.
If you have questions regarding notification requirements in the wake of a data breach, or how to include cybersecurity questions in due diligence and/or disclosures in mergers or acquisitions, please contact Kenneth N. Rashbaum.