CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘Yahoo’

Cyberrisks to Contractors and Securing Proper Coverage

Posted on: June 29th, 2018

By: Barry Brownstein

Increasingly sophisticated hackers have targeted personal and business data held by companies like Target Corp., Sony Corp., Equifax Inc. and Yahoo Inc. during the past decade. The construction industry is just as susceptible to these risks as any other industry.  As construction projects increase in size and there is more sharing of data related to buildings and projects, and as more of that sharing becomes electronic, cyberrisks increase as well.

Contractors and their business partners hold personal information about their clients and employees, and they are increasingly using more electronic means to exchange data and survey construction projects. A significant threat for companies in the construction industry comes from the open and increasingly connected network between those in charge of a project and their various subcontractors and business partners, who need swift and seamless access to plans and other sensitive data to do their part of the work.

Many companies in the construction industry assume that since they have policies that cover losses stemming from physical and property damage, any infiltration into their systems that result in the loss of access to sensitive information is covered by such insurance.  However, most commercial general liability policies carve out cyberthreats from coverage.  While contractors can still make claims under more traditional policies and may find that some of their losses are covered, relying solely on these protections may be dangerous and result in uncovered losses.

Specialized cyberinsurance can fill in the gaps left by commercial general liability policies that do not account for losses caused by damage to virtual information systems, and ensure that any damages, injuries or delay caused by downstream contractors or business partners are covered as well. Once policies are in place, contractors need to revisit them regularly to account for changes in the cyberthreat landscape as they relate to the construction industry.

If you have any questions or would like more information, please contact Barry Brownstein at [email protected].

Lessons Learned from the SEC’s Order in the Yahoo! Data Breach Enforcement Action

Posted on: May 22nd, 2018

By: Jennifer Lee

On April 24, 2018, the SEC issued an order in the enforcement action against Altaba Inc., formerly Yahoo! Inc., and imposed a $35 million fine relating to the 2014 data breach which affected more than 500 million Yahoo! user accounts.

SEC’s Findings

The SEC found that Yahoo! violated federal securities laws by failing to disclose the 2014 data breach for almost two years. The SEC focused on the fact that despite its knowledge of the data breach, Yahoo!’s annual and quarterly reports made no mention of the data breach as a risk factor. Instead, the reports represented that the company only faced the risk of potential future data breaches that may expose its users’ personally identifiable information which may lead to litigation, loss of revenue, and damage to its reputation.

In addition, Yahoo! management’s analysis of the company’s financial condition also omitted changes to revenue that were expected to result from the public disclosure of the 2014 data breach.

Lastly, the stock purchase agreement between Yahoo! and Verizon entered into on July 23, 2016 and filed with the SEC on July 25, 2016 was misleading because it contained affirmative representations denying the existence of any significant data breaches.

The data breach was not disclosed until September 2016 in a press release filed as an attachment to a Form 8-K. After the public announcement of the data breach, Yahoo!’s stock price decrease by 3%, resulting in a $1.3 billion drop in its market cap.

Lessons Learned

Disclosures regarding cybersecurity risk factors that discuss potential incidents are misleading if they do not discuss known incidents that have already occurred. The SEC found that the omission of the 2014 data breach in the risk factor disclosures were misleading because it suggested that a significant data breach had not yet occurred, which in turn implied that any negative effects that may result from future breaches are merely speculative.

Companies should perform regular assessments of cybersecurity threats and their likely impact on the business to determine whether such issues should be disclosed as a risk factor. Regulation S-K item 303 requires companies to include trends or uncertainties reasonably likely to have a material impact on their business. Item 503(c) requires companies to disclose the most significant risk factors that make the company speculative or risky. Because cybersecurity incidents have the potential to and often do, in fact, lead to a significant depreciation in a company’s stock price and market cap, failing to perform regular assessments of cybersecurity threats and their likely impact on the business will inevitably lead companies to run afoul of Regulation S-K.

Be mindful of other state, federal, and international regulations that govern disclosure of data breaches and other cybersecurity incidents. Currently, data breach notification obligations in the United States consist of a patchwork of individual state statutes. In addition, the EU’s General Data Protection Regulation, which takes effect on May 25, 2018, contains a whole new set of rules regarding the disclosure of data breaches and other cybersecurity incidents. Companies that operate on a national or international level must be aware of their disclosure obligations under these regulatory structures and how they may affect companies’ disclosure obligations under federal securities laws.

If you have any questions or would like more information, please contact Jennifer Lee at [email protected].

 

Yahoo Fined $35M for Delay in Disclosing 2014 Cyberattack

Posted on: April 30th, 2018

By: Theodore C. Peters

On April 24, 2018, the U.S. Securities and Exchange Commission hit Altaba, Inc. (formerly known as Yahoo) with a $35 million fine.  The penalty stems from Yahoo’s failure to disclose a 2014 cyberattack until 2016, even though it knew of the breach within days after it occurred.

In its order, the SEC said that Yahoo’s information security team was promptly advised that Russian hackers had acquired highly sensitive information that Yahoo itself referred to as its “crown jewels,” namely Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers for hundreds of millions of accounts.  Despite such knowledge, however, Yahoo waited until September 2016, on the eve of a pending sale to Verizon Communications, Inc., before it officially disclosed the breach.

Yahoo’s disclosure of the breach resulted in an immediate 3 percent decline (estimated at $1.3B) of Yahoo’s share price, and caused Verizon to renegotiate the purchase price, lowering it by $350M (representing a 7.5% discount).  Before publicly acknowledging the breach, Yahoo released annual and quarterly reports that the SEC concluded were “materially misleading” insofar as “they claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users’ personal information…”(emphasis added).

Yahoo later amended its risk factor disclosures and MD&A (Yahoo management’s discussion of financial condition and results of operations) to reflect the 2014 breach in its subsequent public filings.  On October 9, 2016, Yahoo acknowledged that the breach occurred in 2014.  Yahoo also corrected prior public disclosures for 2014 and 2015, which indicated that Yahoo’s disclosure controls and procedures were effective.  The amended filings stated that such controls and procedures were not effective.

As part of its agreement with the SEC, Altaba neither confirmed nor denied the statements in the order.  Whether further action will be taken against any of the Yahoo executives who were employed at the time of the 2014 cyberattack remains to be seen.  Altaba must pay the $35M penalty.

Separately, a U.S. District Court Judge, for the Northern District of California, held off on sentencing of a 23-year-old Canadian “international hacker-for-hire,” Karim Baratov. At an April 24, 2018 sentencing hearing, Judge Vince Chhabria told federal prosecutors that he was concerned that Baratov could potentially face a tougher sentence solely based upon the fact that among Baratov’s clients were certain Russian nationals who committed the 2014 Yahoo cyberattack, even though there was no evidence that Baratov himself was involved in the Yahoo breach.  Prosecutors sought a near eight year term of imprisonment.  During the sentencing hearing, Judge Chhabria stated that he had “multiple concerns” about the sentence and noted that other hackers engaged in similar conduct had received lesser sentences.  Further briefing was ordered on the issue of what national sentencing ranges are for hackers convicted in federal court.

If you have questions or would like more information, please contact Ted Peters at [email protected].