The SEC announced April 24 that the entity formerly known as Yahoo! Inc. agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose a massive data breach impacting more than 500 million user accounts. As alleged, the company learned of the breach that resulted in the theft of hundreds of millions of usernames, birthdates, passwords and telephone numbers in late 2014, but failed to disclose the breach in its public filings for nearly two years.
[Note: Yahoo sold much of its core business to Verizon after the breach disclosure, and changed its name to Altaba. For the sake of convenience, this blog uses “Yahoo” throughout.]
The SEC claimed that Yahoo made risk factor disclosures in annual and quarterly reports from 2014 through 2016 that were materially misleading because they only identified a potential risk of future data breaches, rather than a present, known incursion. Yahoo’s MD&A also allegedly omitted these known trends or uncertainties with regard to liquidity or net revenue presented by the 2014 data breach.
According to the SEC charges, Yahoo failed to make any disclosures concerning the hack during the course of its negotiations in connection with a proposed sale of its operating business to Verizon Communications in July 2016. Yahoo made affirmative representations denying the existence of any significant data breaches in a July 2016 stock purchase agreement with Verizon, by which Verizon was to acquire Yahoo’s operating business for $4.825 billion. Yahoo subsequently disclosed the 2014 data breach in in September 2016 in a press release filed as an attachment to a Form 8-K, and also disclosed the breach to Verizon. Yahoo stock dropped significantly upon release of the news, and Verizon renegotiated the purchase price downward.
The Commission also charged that Yahoo did not share any information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. In addition, the company allegedly failed to maintain disclosure controls and procedures to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
While longstanding SEC rules required Yahoo to disclose the data breach, the Division of Corporation Finance had highlighted the particular risks and obligations associated with cyber breaches in 2011. The staff advised that companies should disclose risks associated with cyber incidents under Item 503(c) of Regulation S-K if, as that provision states, “these issues are among the most significant factors that make an investment in the company speculative or risky.” The staff also advised that Form 8-K disclosure might be required for material developments, and that discussion in the MD&A portion of the financial statements might be appropriate.
Yahoo entered into the settlement agreement without admitting or denying liability. A particularly interesting, and challenging, part of the settlement agreement, is found in the undertakings. The company agreed to use its best efforts “to secure the full, truthful, and continuing cooperation of Respondent’s current and former directors, officers, employees and agents, including making those persons available for interviews and the provision of testimony in any and all investigations, litigations or other proceedings relating to or arising from the matters described in the Order when requested to do so by the Division’s staff, at Respondent’s expense.” It may indeed be a tall order to secure the cooperation of former personnel when asked to do so by the SEC staff.
The case is notable for several reasons. First, the sheer size of the settlement is striking on its face. In addition, the SEC has indicated a renewed interest in cybersecurity matters, as indicated by the release of new Commission guidance in February 2018. The SEC expanded on the 2011 staff advice, and elevated the guidance to the Commission level.
According to the Commission, it is essential for companies to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” To facilitate compliance with this requirement, companies must establish and maintain disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including cyber incidents.
The Commission recognized that in many cases, the material facts concerning the scope of the incident may not be immediately available, and that companies may also need time to cooperate with law enforcement. The guidance cautioned, however, that “an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
It is also a safe assumption that it is difficult to imagine a scenario where a two-year delay in disclosing a breach on the scale of Yahoo would ever be acceptable. This case presents 35 million good reasons not to do so.