The Securities and Exchange Commission (SEC) has undertaken its first enforcement action in connection with a public company’s failure to timely disclose cyber-issues. Last month, Altaba Inc., the former Yahoo! Inc. (Yahoo!), agreed to pay the SEC $35 million to resolve allegations that it had failed to disclose a 2014 data breach that ultimately affected 3 billion accounts. See In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc., Admin. Proc. No. 3-18448 (April 24, 2018).

The SEC alleged that Yahoo!, the Internet’s reigning monarch in the 90s, learned of a significant breach in late 2014. The breach apparently compromised significant user data, including names and passwords. The SEC contended that Yahoo! failed to notify outside auditors of the breach. Nor did Yahoo! evaluate the breach to assess the magnitude of the security problem or determine the need for investor disclosure. Yahoo! did not disclose the breach until September 2016. In the intervening period, Yahoo! continued to file required forms with the SEC from 2014 through September 2016 without noting the breach.

The SEC insisted Yahoo!’s failure to report the breach in its filings and inadequate internal controls violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act. This formed the basis of the $35M settlement penalty. In keeping with standard practice, Yahoo! neither conceded nor denied any wrongdoing. It also agreed to comply with securities reporting laws – and to cooperate with additional investigations. Those additional investigations could implicate other entities or individuals in the future.

The episode contains a number of lessons for publicly traded companies evaluating their reporting response in the wake of a cyber incident.

These recommendations are in line with the SEC’s own recent guidance on the subject of public company cybersecurity disclosures. While Yahoo! may be the first company to settle with the SEC for failure to timely disclose a cybersecurity incident, it is not likely to be the last.

— — —

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

◀︎ Back to Thought Leadership