The U.S. Securities and Exchange Commission announced on April 24, 2018, that Yahoo! — now known as Altaba — agreed to pay a $35 million penalty to settle claims that the company failed to timely disclose a 2014 data breach that compromised hundreds of millions of user accounts. The settlement marks the first time that the SEC has brought an enforcement action alleging that a company’s failure to disclose a breach violated the federal securities laws. The Yahoo action follows on the heels of the SEC’s February 2018 interpretative guidance on public company cybersecurity disclosures, discussed in a previous Fenwick alert, which was widely seen as a further signal that the SEC would be more closely scrutinizing public company responses to cybersecurity incidents.
The enforcement action underscores the necessity for public companies to adopt and implement a comprehensive cybersecurity incident response plan, and to ensure that the plan includes early involvement of attorneys and other advisors who can provide counsel about disclosure obligations. Further, the SEC’s action reinforces companies’ continuing obligations to assess risk factor and other public disclosures about the impact of possible or actual data breaches on their business.
Background on the Data Breach
According to the SEC’s order, in December 2014, Yahoo’s information security team determined that the company had suffered a severe and widespread data breach. Hackers associated with the Russian Federation had gained access to database files containing a broad range of personally identifiable information (PII) from Yahoo users, including their usernames, email addresses, telephone numbers, birth dates, hashed passwords, and security questions and answers. The company determined that the data breach affected at least 108 million users, and likely Yahoo’s entire user database of billions of users. In addition, the hackers gained access to the email accounts of 26 Yahoo users who were specifically targeted because of their connections to Russia.
Yahoo’s chief information security officer reported the data breach to the company’s senior management and legal teams within a matter of days. However, according to the SEC’s order, Yahoo did not disclose the breach to the company’s outside auditors and outside counsel to assess potential disclosure obligations. The company provided notice of the breach to the 26 users whose email accounts were compromised, but Yahoo did not notify any of the hundreds of millions of other users whose PII had also been compromised. Nor did Yahoo disclose the breach in any of its public filings.
The hackers continued to target Yahoo’s user database throughout 2015 and into early 2016. In addition, Yahoo received reports that a large volume of Yahoo user credentials were available for sale on the dark web. By June 2016, Yahoo’s chief information security officer concluded that hackers had likely gained access to PII from the company’s entire user database and could sell it on the dark web in the immediate future. Although he reported his conclusions to senior management, the SEC’s order emphasized that Yahoo again failed to disclose the breach to its users or in its public filings.
Yahoo did not publicly acknowledge the data breach until September 2016, when it disclosed that state-sponsored hackers had stolen PII associated with at least 500 million user accounts. At the time, the attack was the largest known data breach in history.1 The following day, Yahoo’s stock price fell by 3 percent, amounting to a loss of nearly $1.3 billion in market capitalization. Moreover, the company, which was in negotiations to sell its operating businesses to Verizon, was forced to accept a 7.25 percent discount on the purchase price, amounting to a decrease of $350 million.
SEC Findings and Penalty
The SEC found that Yahoo’s failure to disclose the 2014 data breach rendered its public filings in the period following the breach materially misleading in a number of ways.
Risk factor disclosures that discussed the risk of potential future data breaches, and related harms, were materially misleading because they failed to disclose that a severe and widespread data breach had, in fact, already occurred.
Yahoo should have disclosed the breach in its annual and quarterly reports in connection with Management’s Discussion and Analysis of Financial Condition and Results of Operations, which requires disclosure of known trends or uncertainties that are reasonably likely to have a material effect on liquidity or net revenue.
The stock purchase agreement between Yahoo and Verizon, which was publicly-filed with the SEC, contained affirmative representations from Yahoo to Verizon denying the existence of any significant data breaches.
SOX certifications stating that Yahoo had effective disclosure controls and procedures were false due to deficiencies in the company’s security incident response protocols and subsequently had to be corrected.
The SEC imposed a $35 million penalty and ordered Yahoo to cease and desist from committing further violations of the securities laws.
Related Private Litigation
Yahoo’s settlement with the SEC is just one piece of the fallout from the 2014 data breach and similar data breaches from 2013 to 2016. Yahoo continues to face active shareholder derivative actions in California and Delaware state courts. Further, on March 2, 2018, Yahoo entered into a proposed settlement in a federal securities class action litigation arising from Yahoo’s failure to publicly disclose the data breaches. Significantly, the $80 million proposed settlement is the first major securities class action settlement to arise from a cybersecurity incident. While there have been other securities suits from major breaches, they previously did not gain much traction. We predict that the SEC’s recent interpretative guidance and the enforcement action against Yahoo may give future securities class actions involving data breaches new life.
Yahoo also faces a pending federal consumer class action by Yahoo users. While some claims relate to Yahoo’s allegedly deficient security measures, plaintiffs also assert a number of claims based on Yahoo’s failure to timely disclose the breaches to affected users, including claims for deceit by concealment and violation of California’s data breach notification law. On March 9, 2018, the court granted in part and denied in part Yahoo’s motion to dismiss, but the plaintiffs’ claims largely survived.
The SEC found a severe breakdown in cybersecurity assessment and disclosure. The SEC order found that Yahoo did not have effective controls in place to assess the company’s disclosure obligations. The order emphasized that Yahoo’s senior management and internal legal team failed to disclose the breach to the company’s outside auditors and outside counsel for an external assessment of disclosure obligations. In so doing, the company compounded its internal failure to properly assess disclosure obligations. Steven Peikin, co-director of the enforcement division, highlighted the breakdown in his statement about the settlement: “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
However, the Yahoo case should not be read as requiring public disclosure of every large data breach. Rather, as the SEC said in the Yahoo order and has said in past public statements, companies which have robust procedures to assess the materiality of breaches, and which in good faith make a determination about the need for disclosure, should not face an SEC enforcement action. Thus, companies should ensure that they have controls and procedures in place — including the right in-house and external legal advisers — to assess the materiality of cybersecurity incidents and whether disclosure is required by the securities laws.
Disclosures regarding the risk of potential future cyberattacks and their attendant harms may be materially misleading without incorporating discussion of known cyberattacks. Yahoo’s periodic SEC filings contained risk factor disclosures regarding potential future cyberattacks and their attendant harms but did not disclose the 2014 data breach. According to the SEC, the omission “misleadingly suggested that a significant data breach had not yet occurred, and that therefore the company only faced the risk of data breaches and any negative effects that might flow from future breaches.” The outcome is consistent with SEC guidance originally issued in 2011 and reiterated in its recent interpretative guidance, which notes that “companies may need to disclose previous or ongoing cybersecurity incidents or past events in order to place discussions of these risks in the appropriate guidance.”
In periodic SEC filings, companies should assess whether known cyberattacks are reasonably likely to have a material impact on the business, or are otherwise significant enough to require disclosure as a separate risk factor. The SEC order found that Yahoo’s periodic reports were also misleading because the company did not disclose the 2014 data breach as required by Items 303 and 503(c) of Regulation S-K. Item 303 requires companies to include known trends or uncertainties reasonably likely to have a material impact on the business as part of its MD&A disclosures. Item 503(c) requires companies to disclose the most significant risk factors that make the offering speculative or risky. The SEC’s action underscores the need for companies to assess the business impact of cybersecurity incidents both on an individual level and in context with other risks.
SEC is continuing its investigation, indicating that additional charges may be forthcoming. The SEC’s press release expressly notes that its investigation is continuing, and the settlement acknowledges that the penalty amount reflects Yahoo’s undertaking to fully cooperate with the SEC in any related matters (i.e., the penalty would have been larger but for Yahoo’s agreement to cooperate). Although it is difficult to determine the focus of the SEC’s ongoing investigation, it is quite certain that the focus will be on individuals, and not on Yahoo’s collective failures. One likely avenue of investigation is whether individuals at Yahoo should be held personally liable in an enforcement action for the disclosure failures. A second possible focus of the continuing investigation is on whether individuals with knowledge of the breach and its impact on the company engaged in insider trading. Noteworthy is the SEC’s recent interpretative guidance, which emphasizes that company insiders may violate insider trading laws by trading while in possession of material nonpublic information about a company’s cybersecurity risks and incidents.
As part of your incident response plan, be sure to address insider trading issues. As noted above, the SEC has warned that if a data breach or similar cybersecurity incident is material and remains undisclosed to the public, individuals trading company securities may face insider trading liability. Indeed, the SEC recently charged a former Equifax executive with insider trading based upon evidence that the executive knew of a massive breach and sold shares intending to avoid losses once the news was disclosed. Moreover, the same individual was charged criminally by the Department of Justice for the same conduct.
Adopt and implement controls to assess comprehensive disclosure obligations following a cybersecurity incident. Separate and apart from any disclosure obligations under the securities laws, companies must also assess disclosure obligations under other laws and regulations, including relevant data privacy laws. Almost every state has adopted a data privacy and breach notification law in the absence of a uniform federal law. As a result, companies face a patchwork of disclosure obligations to customers or other victims, state attorneys general, credit reporting agencies and other third-parties. Moreover, the EU General Data Protection Regulation, which goes into effect on May 25, 2018, imposes its own set of disclosure obligations. The complexity of the regulatory regime underscores the need to implement comprehensive controls and procedures to assess disclosure obligations before a cybersecurity incident occurs.
1In December 2016, Yahoo also disclosed a 2013 data breach affecting an estimated 1 billion user accounts. In October 2017, Yahoo revised the estimate upward and confirmed that the 2013 cyberattack affected all 3 billion Yahoo user accounts.