On April 24, 2018 the Securities and Exchange Commission (“SEC”) announced a settlement with Altaba, Inc., formerly Yahoo! Inc., for misleading investors by failing to disclose a data breach in which Russian hackers stole data for hundreds of millions of Yahoo accounts. This settlement and penalty, the first by the SEC following a data breach, comes in the wake of recent SEC guidance on cybersecurity risks and disclosures.
In late 2014, Yahoo learned that it had been subject to massive cyber-intrusions that resulted in the loss of data including user names, e-mail addresses, encrypted passwords, birthdates, and telephone numbers for hundreds of millions of users. Following the breach, Yahoo learned that the same Russian hackers continued to target Yahoo’s database throughout 2015 and 2016, and that increasing amounts of Yahoo user information was for sale on the dark web.
The SEC findings alleged that by December of 2014, Yahoo’s information security team was aware of the vast number of users affected by the breach, along with the highly sensitive nature of information stolen. Over the course of the next few years, Yahoo learned that incursion attempts by the same actors continued. Despite this knowledge, Yahoo did not include information regarding the breach in its quarterly or annual SEC filings in 2015 or 2016. Furthermore, when Yahoo transferred certain business operations to Verizon in July 2016, it neglected to mention the data breach in diligence responses to Verizon or in the Stock Purchase Agreement, which was attached to Form 8-K and filed with the SEC on July 25, 2016.
Existence of the data breach and its scope were publicly-disclosed for the first time on September 22, 2016, when Yahoo filed a Form 8-K with the SEC and notified Verizon of the data breach. The next day, Yahoo’s market capitalization fell approximately $1.3 billion. The disclosure also resulted in the reduction of Verizon’s acquisition price by 7.25%.
This settlement illustrates the SEC’s role as a bona fide enforcer in the cybersecurity realm. While this settlement did not include sanctions beyond a monetary penalty, the SEC could, in the future, impose remedies not available to private securities class actions, such as imposing officer/director bars. Accordingly, publicly traded companies must be very careful concerning their disclosures when there are known or reasonably suspected security breaches. Given the prevalence of cyber-attacks, this will certainly not be the SEC’s last enforcement action in this regard.