In this recent Cooley Alert, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we wrote that the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents and asked whether an enforcement action might just be on the horizon? In that regard, we noted that, in 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances. Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: today, the SEC announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”
In its Order, the SEC found that, in late 2014, Yahoo learned of a massive cyber breach by hackers associated with the Russian Federation—at that time considered the largest breach of its kind—that affected over 500 million user accounts, resulting in the “theft, unauthorized access, and acquisition of hundreds of millions of its users’ data, including usernames, birthdates, and telephone numbers,” referred to internally as the company’s “crown jewels.” The company neither admitted nor denied the findings in the Order.
By December, the Order indicates, after the company’s information security team had drilled down and reached certain conclusions about the breach (including the hacking of the “email accounts of 26 Yahoo users specifically targeted by the hackers because of their connections to Russia”), the company’s Chief Information Security Officer advised members of senior management and legal teams of the problem. Throughout 2015 and early 2016, the company’s security team found that the same hackers continued to target the company, and by June 2016, the company’s new Chief Information Security Officer concluded, and communicated to senior management, that the company’s “entire user database, including the personal data of its users, had likely been stolen by nation-state actors through several hacker intrusions (including the 2014 breach), and ultimately could be exposed on the dark web in the immediate future.” But, the Order found, this information was not disclosed.
The Order charges that the company’s “senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading….Furthermore, Yahoo’s senior management and legal teams did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Yahoo did not maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed in Yahoo’s public filings, including, but not limited to, in its risk factor disclosures or MD&A. To the extent that Yahoo shared information regarding the breach with affected users, they only notified the 26 users whose email accounts were accessed during the breach.”
In particular, the Order found that the company’s “risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches” that might expose the company to loss and liability “without disclosing that a massive data breach had in fact already occurred.” These risk factor disclosures “misleadingly suggested that a significant data breach had not yet occurred, and that therefore the company only faced the risk of data breaches and any negative effects that might flow from future breaches.” In addition, according to the Order, the company’s MD&A did not address the breach as a known trend or uncertainty.
In addition, the SEC found that there were also disclosure violations in connection with the proposed sale of the company’s operating business in July 2016: although the company “was aware of additional evidence in the first half of 2016 indicating that its user database had been stolen, Yahoo made affirmative representations denying the existence of any significant data breaches in a July 23, 2016 stock purchase agreement [that] was attached to a Form 8-K filed with the Commission on July 25, 2016.”
In the Order, the SEC also found that, in September 2016, the company issued a press release disclosing the data breach and attached it as an exhibit to a Form 8-K. The company also amended various disclosures, including risk factors and MD&A, to reflect the occurrence of the breach and corrected its prior statements regard the effectiveness of its disclosure controls. The day following the announcement, the company’s market cap fell nearly $1.3 billion. In addition, the disclosure led to a renegotiation of the acquisition agreement, including a 7.25% price reduction in price.
The SEC concluded that the company “acted negligently in filing materially misleading periodic reports with the Commission” and violated a number of provisions of the Securities Act and the Exchange Act, as well as related rules. In settlement, the company agreed to cease and desist, to pay $35 million and also agreed to certain undertakings, including cooperation in connection with any further SEC investigation of the matter.