SEC Wallops Yahoo With $35M Penalty Over Breach Disclosures—or Lack Thereof
The company, now known as Altaba, has settled SEC claims that it misled investors about a 2014 data breach which affected more than 500 million user accounts.
April 24, 2018 at 05:14 PM
4 minute read
The company formerly known as Yahoo Inc. has agreed to pay $35 million to settle SEC claims that it misled investors about a 2014 data breach that affected more than 500 million of its user accounts.
Yahoo employees learned of the breach of users' data, including usernames, birth dates and telephone numbers, in late 2014, but didn't disclose anything about it until after the 2016 announcement that the company's operating assets would be acquired by Verizon Communications Inc., according to the U.S. Securities and Exchange Commission.
The SEC claims that Yahoo's financial disclosures, including its quarterly and annual filings from 2014 through 2016, were “materially misleading” since they only mentioned potential risks associated with future breaches without disclosing that “the largest known theft of user data” had already occurred. The SEC also claims that Yahoo's stock purchase agreement with Verizon, which was filed with the SEC in July 2016, falsely denied the existence of any significant data breaches.
Yahoo announced in a March 2017 filing with the SEC that certain senior executives at the company and members of its legal team “had sufficient information to warrant substantial further inquiry” about the breach as early as 2014. The company announced the resignation of then-general counsel Ron Bell the same day as the filing.
The company, which has changed its name to Altaba Inc. since Verizon acquired its operating business, neither confirmed nor denied the SEC's allegations as part of the settlement. The company's lawyers, Craig Martin and Jordan Eth of Morrison & Foerster, didn't immediately respond to messages.
In a press release announcing the deal, Steven Peikin, co-director of the SEC Enforcement Division, said the agency doesn't “second-guess good faith exercises of judgment about cyber-incident disclosure.”
“But we have also cautioned that a company's response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” Peikin said.
Jina Choi, the director of the SEC San Francisco regional office which handled the Yahoo investigation, added that “Yahoo's failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach.”
Michael Dicke, the co-chair of Fenwick & West's securities enforcement group and the former enforcement chief of the SEC's regional office, points out that this is the agency's first enforcement action against a company accused of failing to disclose a breach that had a material impact of the company's financial performance.
He said the underlying order specifically notes that Yahoo's breach response plan failed to consider whether the company had a duty to disclose material information about a breach to the market and that the company didn't tell its outside counsel or auditors about it.
“[While a company] has to have lots and lots of technical support as part of the plan, you really have to have someone on the primary response team with the ability to assess the disclosure issues,” Dicke said.
The SEC's investigation was conducted by Tracy Combs with the agency's Cyber Unit and supervised by Jennifer Lee and Erin Schneider in the San Francisco office.
Tuesday's announcement comes after shareholders represented by lawyers at Pomerantz and Glancy Prongay & Murray agreed to an $80 settlement last month over claims that Yahoo misled them about a series of four data breaches that affected as many as 3 billion accounts. That proposed deal still requires a sign-off from U.S. District Judge Lucy Koh in San Jose, who is overseeing the investor suit as well as multidistrict litigation targeting Yahoo with claims on behalf of users whose data was stolen.
Yahoo is represented in the MDL by Gibson, Dunn & Crutcher and Hunton Andrews Kurth.
Reached by email Tuesday, John Yanchunis of Morgan & Morgan, lead plaintiffs counsel in the MDL, said it was hard to tell how the SEC deal might bear on the case he's handling. “It at the very least demonstrates a desire to resolve claims arising from the data breach,” he said. “And our case now is the only one that remains.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllIn Lawsuit, Ex-Google Employee Says Company’s Layoffs Targeted Parents and Others on Leave
6 minute readMorrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250