The SEC announced April 24 that the entity formerly known as Yahoo! Inc. agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose a massive data breach impacting more than 500 million user accounts. As alleged, the company learned of the breach that resulted in the theft of hundreds of millions of usernames, birthdates, passwords and telephone numbers in late 2014, but failed to disclose the breach in its public filings for nearly two years.
[Note: Yahoo sold much of its core business to Verizon after the breach disclosure, and changed its name to Altaba. For the sake of convenience, this blog uses “Yahoo” throughout.]
The SEC claimed that Yahoo made risk factor disclosures in annual and quarterly reports from 2014 through 2016 that were materially misleading because they only identified a potential risk of future data breaches, rather than a present, known incursion. Yahoo’s MD&A also allegedly omitted these known trends or uncertainties with regard to liquidity or net revenue presented by the 2014 data breach.
According to the SEC charges, Yahoo failed to make any disclosures concerning the hack during the course of its negotiations in connection with a proposed sale of its operating business to Verizon Communications in July 2016. Yahoo made affirmative representations denying the existence of any significant data breaches in a July 2016 stock purchase agreement with Verizon, by which Verizon was to acquire Yahoo’s operating business for $4.825 billion. Yahoo subsequently disclosed the 2014 data breach in in September 2016 in a press release filed as an attachment to a Form 8-K, and also disclosed the breach to Verizon. Yahoo stock dropped significantly upon release of the news, and Verizon renegotiated the purchase price downward.
The Commission also charged that Yahoo did not share any information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. In addition, the company allegedly failed to maintain disclosure controls and procedures to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
While longstanding SEC rules required Yahoo to disclose the data breach, the Division of Corporation Finance had highlighted the particular risks and obligations associated with cyber breaches in 2011. The staff advised that companies should disclose risks associated with cyber incidents under Item 503(c) of Regulation S-K if, as that provision states, “these issues are among the most significant factors that make an investment in the company speculative or risky.” The staff also advised that Form 8-K disclosure might be required for material developments, and that discussion in the MD&A portion of the financial statements might be appropriate.
Yahoo entered into the settlement agreement without admitting or denying liability. A particularly interesting, and challenging, part of the settlement agreement, is found in the undertakings. The company agreed to use its best efforts “to secure the full, truthful, and continuing cooperation of Respondent’s current and former directors, officers, employees and agents, including making those persons available for interviews and the provision of testimony in any and all investigations, litigations or other proceedings relating to or arising from the matters described in the Order when requested to do so by the Division’s staff, at Respondent’s expense.” It may indeed be a tall order to secure the cooperation of former personnel when asked to do so by the SEC staff.
The case is notable for several reasons. First, the sheer size of the settlement is striking on its face. In addition, the SEC has indicated a renewed interest in cybersecurity matters, as indicated by the release of new Commission guidance in February 2018. The SEC expanded on the 2011 staff advice, and elevated the guidance to the Commission level.
According to the Commission, it is essential for companies to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” To facilitate compliance with this requirement, companies must establish and maintain disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including cyber incidents.
The Commission recognized that in many cases, the material facts concerning the scope of the incident may not be immediately available, and that companies may also need time to cooperate with law enforcement. The guidance cautioned, however, that “an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
It is also a safe assumption that it is difficult to imagine a scenario where a two-year delay in disclosing a breach on the scale of Yahoo would ever be acceptable. This case presents 35 million good reasons not to do so.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)