The SEC’s recent enforcement action and settlement with Altaba (formerly known as Yahoo) over the company’s major data breach provides a suggested roadmap for how companies may want to proactively approach data breach issues. Some major takeaways are: (1) companies should have effective controls in place to assess disclosure obligations; (2) known cyberattacks should, when appropriate, be included in disclosures in public filings; and
(3) if known cyberattacks have a material impact on the business, it requires disclosure.
Background
On April 24, 2018, the SEC announced that Altaba has agreed to pay a $35 million penalty to settle claims that the company failed to timely disclose a data breach that affected millions of Yahoo’s users. This is the first time the SEC has proactively initiated an enforcement action and settled a case alleging that a company’s failure to disclose a breach violated federal securities laws. The enforcement action and settlement follows guidance the SEC issued in February 2018 (see SEC Issues Guidance on Cybersecurity Disclosures).
The SEC’s order describes how, in December 2014, Yahoo’s information security team determined the company suffered a widespread data breach. Hackers allegedly gained access to personally identifiable information from millions of Yahoo users. According to the SEC order, Yahoo’s chief information security officer informed the company’s management and legal team of the breach within days. Nevertheless, Yahoo did not disclose the breach to the company’s outside auditors or outside counsel, did not notify any of its users and did not disclose the breach in its public filings. Yahoo did not publicly acknowledge the data breach until September 2016, when it disclosed that it believed that state-sponsored hackers had stolen personally identifiable information associated with at least 500 million user accounts.
SEC Findings and Penalty
The SEC found that Yahoo’s failure to disclose the 2014 data breach rendered its public filings in the period following the breach materially misleading. The SEC determined that, among other things:
- Yahoo should have disclosed the breach in its annual and quarterly reports;
- The risk factor disclosures that discussed the risk of potential future data breaches, and related harms, were materially misleading because they failed to disclose that a massive data breach had, in fact, already occurred; and
- Sarbanes-Oxley certifications stating that Yahoo had effective disclosure controls and procedures were false due to deficiencies in the company’s security incident response protocols and subsequently had to be corrected.
The SEC imposed a $35 million penalty and ordered Yahoo to cease and desist from committing further violations of the securities laws.
Takeaways
Some key takeaways for public companies:
- Cybersecurity assessment and disclosure. The SEC order found that Yahoo did not have effective controls in place to assess the company’s disclosure obligations.
- Disclosures regarding the risk of potential future cyberattacks and their attendant harms may be under certain circumstances materially misleading without incorporating discussion of known cyberattacks. Yahoo’s SEC filings contained risk factor disclosures regarding potential future cyberattacks and their attendant harms, but did not disclose the 2014 data breach. According to the SEC, the omission misleadingly suggested that a significant data breach had not yet occurred.
- In SEC filings, companies should assess whether known cyberattacks are reasonably likely to have a material impact on the business, or are otherwise significant enough to require disclosure as a separate risk factor. The SEC order found that Yahoo’s periodic reports were also misleading because the company did not disclose the 2014 data breach as required by Items 303 and 503(c) of Regulation S-K.
- Insider trading issues. The SEC warned that if a data breach or similar cybersecurity incident is material and remains undisclosed to the public, individuals trading company securities may face insider trading liability.
- Controls to assess disclosure obligations following a cybersecurity incident. Separate and apart from any disclosure obligations under the securities laws, companies should assess disclosure obligations and implement controls under other laws and regulations, including relevant state data privacy laws.
- Violations may lead to class actions, civil suits and additional liability. The company recently disclosed it settled a securities class action in connection with the data breach.