BlogLine

Lessons Learned from the SEC’s Order in the Yahoo! Data Breach Enforcement Action

5/22/18

By: Jennifer Lee
On April 24, 2018, the SEC issued an order in the enforcement action against Altaba Inc., formerly Yahoo! Inc., and imposed a $35 million fine relating to the 2014 data breach which affected more than 500 million Yahoo! user accounts.
SEC’s Findings
The SEC found that Yahoo! violated federal securities laws by failing to disclose the 2014 data breach for almost two years. The SEC focused on the fact that despite its knowledge of the data breach, Yahoo!’s annual and quarterly reports made no mention of the data breach as a risk factor. Instead, the reports represented that the company only faced the risk of potential future data breaches that may expose its users’ personally identifiable information which may lead to litigation, loss of revenue, and damage to its reputation.
In addition, Yahoo! management’s analysis of the company’s financial condition also omitted changes to revenue that were expected to result from the public disclosure of the 2014 data breach.
Lastly, the stock purchase agreement between Yahoo! and Verizon entered into on July 23, 2016 and filed with the SEC on July 25, 2016 was misleading because it contained affirmative representations denying the existence of any significant data breaches.
The data breach was not disclosed until September 2016 in a press release filed as an attachment to a Form 8-K. After the public announcement of the data breach, Yahoo!’s stock price decrease by 3%, resulting in a $1.3 billion drop in its market cap.
Lessons Learned
Disclosures regarding cybersecurity risk factors that discuss potential incidents are misleading if they do not discuss known incidents that have already occurred. The SEC found that the omission of the 2014 data breach in the risk factor disclosures were misleading because it suggested that a significant data breach had not yet occurred, which in turn implied that any negative effects that may result from future breaches are merely speculative.
Companies should perform regular assessments of cybersecurity threats and their likely impact on the business to determine whether such issues should be disclosed as a risk factor. Regulation S-K item 303 requires companies to include trends or uncertainties reasonably likely to have a material impact on their business. Item 503(c) requires companies to disclose the most significant risk factors that make the company speculative or risky. Because cybersecurity incidents have the potential to and often do, in fact, lead to a significant depreciation in a company’s stock price and market cap, failing to perform regular assessments of cybersecurity threats and their likely impact on the business will inevitably lead companies to run afoul of Regulation S-K.
Be mindful of other state, federal, and international regulations that govern disclosure of data breaches and other cybersecurity incidents. Currently, data breach notification obligations in the United States consist of a patchwork of individual state statutes. In addition, the EU’s General Data Protection Regulation, which takes effect on May 25, 2018, contains a whole new set of rules regarding the disclosure of data breaches and other cybersecurity incidents. Companies that operate on a national or international level must be aware of their disclosure obligations under these regulatory structures and how they may affect companies’ disclosure obligations under federal securities laws.
If you have any questions or would like more information, please contact Jennifer Lee at jlee@fmglaw.com.