CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘breach’

Yahoo Fined $35M for Delay in Disclosing 2014 Cyberattack

Posted on: April 30th, 2018

By: Theodore C. Peters

On April 24, 2018, the U.S. Securities and Exchange Commission hit Altaba, Inc. (formerly known as Yahoo) with a $35 million fine.  The penalty stems from Yahoo’s failure to disclose a 2014 cyberattack until 2016, even though it knew of the breach within days after it occurred.

In its order, the SEC said that Yahoo’s information security team was promptly advised that Russian hackers had acquired highly sensitive information that Yahoo itself referred to as its “crown jewels,” namely Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers for hundreds of millions of accounts.  Despite such knowledge, however, Yahoo waited until September 2016, on the eve of a pending sale to Verizon Communications, Inc., before it officially disclosed the breach.

Yahoo’s disclosure of the breach resulted in an immediate 3 percent decline (estimated at $1.3B) of Yahoo’s share price, and caused Verizon to renegotiate the purchase price, lowering it by $350M (representing a 7.5% discount).  Before publicly acknowledging the breach, Yahoo released annual and quarterly reports that the SEC concluded were “materially misleading” insofar as “they claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users’ personal information…”(emphasis added).

Yahoo later amended its risk factor disclosures and MD&A (Yahoo management’s discussion of financial condition and results of operations) to reflect the 2014 breach in its subsequent public filings.  On October 9, 2016, Yahoo acknowledged that the breach occurred in 2014.  Yahoo also corrected prior public disclosures for 2014 and 2015, which indicated that Yahoo’s disclosure controls and procedures were effective.  The amended filings stated that such controls and procedures were not effective.

As part of its agreement with the SEC, Altaba neither confirmed nor denied the statements in the order.  Whether further action will be taken against any of the Yahoo executives who were employed at the time of the 2014 cyberattack remains to be seen.  Altaba must pay the $35M penalty.

Separately, a U.S. District Court Judge, for the Northern District of California, held off on sentencing of a 23-year-old Canadian “international hacker-for-hire,” Karim Baratov. At an April 24, 2018 sentencing hearing, Judge Vince Chhabria told federal prosecutors that he was concerned that Baratov could potentially face a tougher sentence solely based upon the fact that among Baratov’s clients were certain Russian nationals who committed the 2014 Yahoo cyberattack, even though there was no evidence that Baratov himself was involved in the Yahoo breach.  Prosecutors sought a near eight year term of imprisonment.  During the sentencing hearing, Judge Chhabria stated that he had “multiple concerns” about the sentence and noted that other hackers engaged in similar conduct had received lesser sentences.  Further briefing was ordered on the issue of what national sentencing ranges are for hackers convicted in federal court.

If you have questions or would like more information, please contact Ted Peters at [email protected].

Countries Around the World Are Investigating Facebook’s Cambridge Analytica Event

Posted on: April 26th, 2018

By: Allen E. Sattler

On March 18, 2018, news broke of the Cambridge Analytica event where the data of an estimated 87 million Facebook users was disclosed to the UK-based political consulting firm.  The breach of user data resulted in several U.S. investigations, including by Congress and by the Federal Trade Commission (“FTC”).  Facebook entered into a consent decree with the FTC in 2011, where Facebook agreed to never make deceptive claims concerning users’ privacy and to obtain users’ informed consent before changing the way in which it shares their data.  The FTC is investigating whether Facebook violated the terms of this agreement which carries a possible $40,000 per-violation fine.

On April 10 and 11, Mark Zuckerberg appeared before Congress where he testified that Facebook failed to protect its users’ data and that Facebook “didn’t take a broad enough view” of its responsibility in ensuring the privacy of its users following its initial discovery of the Cambridge Analytica event.  He also accepted personal responsibility for the matter as the company’s founder and CEO.

What might have been lost in the flurry of domestic activity is the amount of scrutiny Facebook is receiving by nations around the globe.  This breach involved users from many countries, with over 1 million affected users in each of four different countries.

The European Union launched an investigation into Facebook on March 19, and the United Kingdom and Australia quickly followed.  Under Australian privacy laws, the government has the authority to issue fines against Facebook of up to $1.6 million if it determines that Facebook violated those laws.

Countries of southeast Asia soon followed with investigations of their own.  Indonesia, which is home to over 115 million Facebook users, 1 million of whom were affected by this breach, launched an investigation on April 6.  Under Indonesian law, the government can assess fines against Facebook representatives personally of up to $870,000.  Singapore has opened an investigation as well, where it has already questioned Facebook executives located in their country.

The Philippines announced its investigation into Facebook on April 13.  The county was rated as the biggest user of social media several years running.  Research indicates that Filipinos spend almost four hours per day on various social media platforms.   This breach affected nearly 1.2 million Filipinos, and news reports indicate that Cambridge Analytica might have helped President Rodrigo Duterte in his successful 2016 campaign.  The event therefore has enormous significance to Filipinos.

On Friday, April 20th, Germany became the latest country to open an official investigation into the Facebook.  Germany’s data privacy regulator said fines could be levied against Facebook in the amount of 300,000 euros ($366,000).

Facebook had revenues of more than $40 billion last year, so the fines that each country might assess against the company seem relatively insignificant.  The investigations launched against Facebook can nevertheless have a big impact on the company and on the entire industry.  This event has garnered the attention of countries around the world, and it has already led to a greater awareness of privacy concerns that exist on social media platforms.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].