There's a new front in the data breach wars: the U.S. Securities and Exchange Commission.

On Tuesday, the agency announced its first-ever case charging a public company with failing to properly inform investors of a cyber-breach. Altaba, formerly known as Yahoo! Inc., agreed to pay $35 million to settle charges that it misled shareholders by failing to disclose a massive data breach in 2014.

The move puts the SEC on the map as a cyber cop, and gives teeth to the agency's somewhat vague guidance on disclosure obligations relating to cybersecurity risks and cyber incidents. It also means one more worry for companies and their counsel facing data breaches.

Morrison & Foerster firmwide managing partner Craig Martin represented Altaba before the SEC. He did not respond to a request for comment.

In 2014, Russian hackers got the usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of Yahoo! users. The company kept the breach quiet for two years, failing to mention it in its quarterly and annual SEC filings. According to the SEC, Yahoo also neglected to inform its outside counsel or auditors.

“It's a difficult judgment call whether, when and how to disclose a breach,” Steven Peikin, co-director of the SEC's Enforcement Division, said on a conference call with reporters. “We don't seek to second-guess good faith decisions.”

The former Sullivan & Cromwell partner added, “But we have also cautioned that a company's response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”

The private bar already filed and settled a securities class action against Yahoo for failing to disclose the breach for $80 million. The plaintiffs were represented by Pomerantz and Glancy Prongay & Murray. (The company also faces a pending class action by users who had their information stolen. In March, U.S. District Judge Lucy Koh in San Jose refused to dismiss the case and greenlighted punitive damages.)

Some litigators have been speculating that securities fraud class action lawsuits stemming from data breaches will be the next big thing.

Right now, it's still a trickle. According to a Bloomberg Law study, shareholders filed nine such suits between January 2017 and February 2018. But that's up from zero 2016.

“These recent cases underscore the challenge public companies face in crafting appropriate disclosures that cover the range of data security risks faced by the organization – be it a potential breach, a latent vulnerability, or otherwise,” wrote Patterson Belknap partner Craig Newman and associate Derek Borchardt in the firm's data security law blog. “We suspect that these nine cases are only the beginning and additional cases will be filed whenever a data security incident is followed by a decline in stock price.”

In some ways, the SEC action against Yahoo feels like piling on, given the efficiency and willingness of the private bar to pursue a comparable action to benefit injured shareholders rather than the U.S. Treasury.

But the SEC can provide unique deterrence in one area: the ability to go after individual officers, and to impose (potentially career-ending) officer/ director bars.

Peikin confirmed the SEC's investigation is ongoing, and said the agency may still bring charges against individuals. He declined to elaborate further.

All I can say is, if I was former Yahoo CEO Marissa Mayer or former general counsel Ronald Bell, I'd be feeling a bit nervous about now.

|

Survey Says?

A new survey by Carlton Fields of shows that spending on class action defense last year hit its highest level since 2010.

“Survey respondents reported their average spend per class action increased substantially over the past two years, even as the overall number of class action cases per company remained consistent,” the firm reported.

Per the survey, companies across multiple industries spent $2.24 billion defending class action lawsuits in 2017, with spending projected to reach a high of $2.39 billion in 2018.

Carlton Fields found that labor and employment (particularly, wage and hour litigation), consumer fraud, product liability and antitrust matters accounted for two-thirds of class action spending by respondents, with data privacy and security matters “lurking as a potential next wave in 2018.” (Ahem, see above.)

The results are based on 411 interviews with general counsel, chief legal officers, and direct reports to general counsel at 385 companies in multiple industries.

The full survey is available here.

|

There but for the Grace of God…

Kansas Secretary of State Kris Kobach could use a little help with his proof-reading.

On Tuesday, his office filed a 72-page proposed findings of fact in a voting rights case that included this note-to-self on page 62: “Plaintiffs Fish, Bucci and the League of Women Voters lack standing? PROBABLY NOT WORTH ARGUING?”

The line below was left blank.

The plaintiffs in the case are challenging whether Kansas can require proof of citizenship, such as a birth certificate or passport, to allow people to vote.

Kobach's filing also included the statement that it “has been illegal to register to vote in Kansas for years.”

There was little chance no one would notice the flubs—not in such a high-profile case, and not when opposing counsel includes the ACLU plus lawyers from Dentons and Dechert. Suffice to say, Twitter had a blast.

Kobach's office filed a corrected version later in the day.

It's a win for business interests—and Kirkland & Ellis partner Paul Clement.

Will it be the Middle District of Florida? The Eastern District of Pennsylvania? Maybe the Eastern District of New York? Or the Eastern District of Wisconsin?

“My favorite parts of practicing law were sitting in a group and discussing cases, discussing the narratives,” Christopher Hagale said. “In litigation finance, that's every day.”

Before she joined Microsoft in 2007, she practiced at Perkins Coie and Cooley.

Wilkinson Walsh + Eskovitz attorney Brian Stekloff did not dispute that the blood thinner can cause severe and sometimes fatal bleeding, but said doctors may find the benefits of the drug outweigh the risks for some patients.

Inter-partes reviews can be decided in executive agencies rather than Article III courts because patents are public rights, not private rights.

An in-depth profile by Lizzy McLellan of the eighth-largest firm in the Am Law 100.

Not so fast—Nixon Peabody partner Thaddeus Stauber, the defendants' attorney, says his clients plan to appeal their loss of the paintings.