The U.S. Securities and Exchange Commission (“SEC”) fined Altaba, Inc., formerly known as Yahoo! Inc., $35 million for misleading investors by waiting almost two years to acknowledge a massive data breach in 2014, the first such penalty ever levied against a publicly-traded company for failing to disclose a cyberattack.
Altaba consented to a Cease-and-Desist Order with the SEC on April 24, 2018, and agreed to pay for violations of (1) Sections 17(a)(2) and 17(a)(3) of the Securities Act related to untrue statements and omissions about a 2014 the data breach, and (2) Section 13(a) of the Exchange Act and related rule pertaining to a failure to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports the issuer files or submits under the Exchange Act are timely and not misleading.
Yahoo learned in December 2014 that hackers linked to the Russian government infiltrated its networks and systems, and stole copies of Yahoo’s user database files containing highly sensitive data of at least 108 million users. The stolen data, which Yahoo’s Chief Information Security Officer (“CISO”) described as the company’s “crown jewels,” included Yahoo usernames, email addresses, telephone numbers, dates of birth, passwords, and security questions and answers.
Within days of the breach, Yahoo’s security team escalated its findings to the company’s senior management and legal department. Neither senior management nor in-house legal team notified Yahoo’s auditor or external counsel about the breach to determine whether it was a material event that should be disclosed in the company’s public filings.
During the period after the breach, Yahoo’s disclosures concerning security breaches read: “If our security measures are breached, our products and services may be perceived as not being secure, users and customers may curtail or stop using our products and services, and we may incur significant legal and financial exposure.” And, after identifying the types of products and services it offers to users, Yahoo’s disclosures stated that “security breaches expose us to a risk of loss of . . . information, litigation, remediation costs, increased costs for security measures, loss of revenue, damage to our reputation, and potential liability.” These disclosures were misleading because they contemplated a “prospective” security incident and failed to alert users and current and potential investors that a massive breach had already occurred.
When Yahoo ultimately disclosed the breach in 2016 as part of a merger involving Verizon, it resulted in a $350 million reduction in the acquisition price and restatement of Yahoo’s annual and quarterly filings for the affected periods. Verizon acquired Yahoo's operating business for $4.5 billion in 2017 and renamed it Altaba.
The SEC’s Order finds that when Yahoo filed quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. The SEC’s Order charitably concluded that Yahoo’s disclosure failure occurred because the company “lacked disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team raising actual incidents of theft of user data, or the significant risk of theft of user data were properly and timely assessed to determine how and where data breaches should be disclosed in Yahoo’s public filings.”
The SEC’s Order signals that when a company is aware of a cyberattack that materially impacts the company, merely disclosing the risk that such an attack could occur is misleading. At the same time, the Order indicates that the SEC does not expect immediate disclosure of a cyberattack in all cases.
First, after years of issuing interpretative guidance, convening roundtable discussions, and sanctioning fines by Self-Regulatory Organizations against smaller broker-dealers, the SEC Staff crossed the Rubicon and fined a public company for lax cybersecurity disclosure controls. All public companies and regulated entities under the SEC’s jurisdiction are on notice that the SEC is serious about enforcing cybersecurity requirements.
Second, companies need to be very careful about their cybersecurity disclosures. Formulaic recitations are insufficient and must be tailored to specific events in each company.
Third, the SEC’s Order did not create a bright line rule for when to disclose a cybersecurity event. Steven Peikin, Co-Director of the Enforcement Division, said that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such as case.” Mr. Peikin’s statement is a recognition that circumstances may arise when a company delays disclosure of a security incident (e.g., at the request of law enforcement or until it gathers sufficient information to provide accurate information). However, this was an easy case because Yahoo waited almost two years to disclose the 2014 breach.
Fourth, lawyers cannot avoid scrutiny because the legal department traditionally has no role in the security operations of a company’s network infrastructure. The Order recognized that Yahoo’s CISO notified the legal department and provided “relevant information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it.” Lawyers are risk managers who cannot turn away from material risks to the company.
Fifth, companies need to have controls and procedures so that information about a material security incident can be communicated to a cross-functional team in real-time to address the incident.
The unanswered question is whether the SEC take action against executives (and perhaps directors) who were aware of the breach and did not cause the information to be disclosed? Marissa Mayer, Chief Executive Officer during the 2014 breach, agreed to forego her 2017 bonus and equity grants. The investigation remains open. Time will tell whether Ms. Mayer’s mea culpa will be enough.