$35m penalty for Yahoo! Inc’s failure to disclose cybersecurity breach
On 24 April 2018, the United States Securities and Exchange Commission (SEC) announced that the entity formerly known as Yahoo! Inc (now known as Altaba Inc) had agreed to pay a penalty of $35 million (USD) to settle charges that it misled investors by failing to disclose a data breach in which hackers stole personal data relating to hundreds of millions of user accounts.
The data breach relates back to December 2014, when Russian hackers stole surnames, email addresses, phone numbers, birth-dates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts. As indicated by the SEC in its press release: “Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors.”
The breach was only disclosed to the investing public in 2016 – more than two years later – when Yahoo was in the process of closing the acquisition of its operating business by Verizon Communications Inc.
The SEC held that:
- When Yahoo filed quarterly and annual reports during the two year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications;
- Yahoo failed to share information regarding the breach with auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings; and
- Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from the company’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
Yahoo neither admitted nor denied the findings in the SEC order, but tendered an offer of settlement that was accepted by the SEC.
The SEC order is accessible here.
The SEC press release is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].