CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘U.S. Securities and Exchange Commission’

DOL Fiduciary Rule Suffers a Slow Death

Posted on: May 15th, 2018

By: Ted Peters

In 2016, the U.S. Department of Labor (“DOL”) promulgated a set of rules and regulations now infamously referred to as the “Fiduciary Rule.”  After multiple criticism and legal challenges, the Fifth Circuit Court of Appeal struck down the Fiduciary Rule effective May 7, 2018.  Surprising many, the DOL elected not to challenge the Fifth Circuit ruling.  Even more surprising, however, was the bulletin issued by the DOL on the effective date of the court’s order.

The court’s ruling, which was not opposed by the DOL, left many unanswered questions.  Enter the DOL’s field bulletin.  Rather than admitting the total defeat of the Fiduciary Rule, however, the DOL seeks to maintain the status quo.  Specifically, the DOL announced that pending further guidance, advisors will not be penalized for either complying with the Fiduciary Rule, or ignoring it in favor of pre-existing standards.  Unfortunately, this announcement leaves the single most important question unanswered – what is the standard to which advisors will be held?  With the U.S. Securities and Exchange Commission working on its own set of rules, and the wait-and-see approach embraced by the DOL notwithstanding, only time will tell.

If you have questions or would like more information, please contact Ted Peters at [email protected].

Yahoo Fined $35M for Delay in Disclosing 2014 Cyberattack

Posted on: April 30th, 2018

By: Theodore C. Peters

On April 24, 2018, the U.S. Securities and Exchange Commission hit Altaba, Inc. (formerly known as Yahoo) with a $35 million fine.  The penalty stems from Yahoo’s failure to disclose a 2014 cyberattack until 2016, even though it knew of the breach within days after it occurred.

In its order, the SEC said that Yahoo’s information security team was promptly advised that Russian hackers had acquired highly sensitive information that Yahoo itself referred to as its “crown jewels,” namely Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers for hundreds of millions of accounts.  Despite such knowledge, however, Yahoo waited until September 2016, on the eve of a pending sale to Verizon Communications, Inc., before it officially disclosed the breach.

Yahoo’s disclosure of the breach resulted in an immediate 3 percent decline (estimated at $1.3B) of Yahoo’s share price, and caused Verizon to renegotiate the purchase price, lowering it by $350M (representing a 7.5% discount).  Before publicly acknowledging the breach, Yahoo released annual and quarterly reports that the SEC concluded were “materially misleading” insofar as “they claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users’ personal information…”(emphasis added).

Yahoo later amended its risk factor disclosures and MD&A (Yahoo management’s discussion of financial condition and results of operations) to reflect the 2014 breach in its subsequent public filings.  On October 9, 2016, Yahoo acknowledged that the breach occurred in 2014.  Yahoo also corrected prior public disclosures for 2014 and 2015, which indicated that Yahoo’s disclosure controls and procedures were effective.  The amended filings stated that such controls and procedures were not effective.

As part of its agreement with the SEC, Altaba neither confirmed nor denied the statements in the order.  Whether further action will be taken against any of the Yahoo executives who were employed at the time of the 2014 cyberattack remains to be seen.  Altaba must pay the $35M penalty.

Separately, a U.S. District Court Judge, for the Northern District of California, held off on sentencing of a 23-year-old Canadian “international hacker-for-hire,” Karim Baratov. At an April 24, 2018 sentencing hearing, Judge Vince Chhabria told federal prosecutors that he was concerned that Baratov could potentially face a tougher sentence solely based upon the fact that among Baratov’s clients were certain Russian nationals who committed the 2014 Yahoo cyberattack, even though there was no evidence that Baratov himself was involved in the Yahoo breach.  Prosecutors sought a near eight year term of imprisonment.  During the sentencing hearing, Judge Chhabria stated that he had “multiple concerns” about the sentence and noted that other hackers engaged in similar conduct had received lesser sentences.  Further briefing was ordered on the issue of what national sentencing ranges are for hackers convicted in federal court.

If you have questions or would like more information, please contact Ted Peters at [email protected].