SEC Issues $35 Million Fine For Alleged Failure To Disclose Data Breach
On April 24, 2018, the United States Securities and Exchange Commission (“SEC”) instituted a settled administrative proceeding against Altaba Inc., f/d/b/a Yahoo! Inc. (“Yahoo!”) for allegedly failing to disclose a significant data breach that affected its user accounts, in violation of Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act. See In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc., Admin. Proc. No. 3-18448 (April 24, 2018). As summarized below, the SEC principally imposed a $35 million penalty on Yahoo!, and Yahoo! neither admitted nor denied the SEC’s findings set forth in the administrative proceeding.
Yahoo! provides more than a billion users worldwide with Internet search services, email, and digital content. According to the SEC, in late 2014, Yahoo! learned of a breach in its user database that resulted in the theft of hundreds of millions of its users’ personal data, including usernames, telephone numbers, dates of birth, and passwords. Although Yahoo!’s senior management were notified of the breach, Yahoo!’s auditors and outside counsel were not, and Yahoo!’s internal disclosure controls did not mandate that the breach be assessed to determine whether or how it should be disclosed. Accordingly, this data breach was never disclosed in various reports that Yahoo! filed with the SEC from 2014 through 2016—including in its Form 10-Q and 10-K filings in 2015. Instead, Yahoo!’s reports disclosed only that security breaches were a potential risk factor. Similarly, during talks with Verizon Communications, Inc. (“Verizon”) regarding the sale of Yahoo!’s operating business, Yahoo! did not disclose the 2014 data breach when addressing past instances in which users’ data were exposed. When Yahoo! publically disclosed the breach in a press release attached to its September 2016 Form 8-K, its stock price dropped by 3%—a market capitalization loss of nearly $1.3 billion. Yahoo! was also forced to reduce the price Verizon paid for its business by $350 million.
The SEC contended that Yahoo! violated Sections 17(a)(2) and (a)(3) of the Securities Act and Section 13(a) of the Exchange Act by failing to disclose the 2014 data breach in reports filed with the SEC, and by failing to maintain controls that ensured the breach would be evaluated for inclusion among Yahoo!’s disclosures. As a result, the SEC required Yahoo! to pay a $35 million civil monetary penalty. Yahoo! agreed not to contest any of the findings in the SEC’s order and undertook to aid and cooperate in the SEC’s ongoing investigation. The Commission noted that it took Yahoo!’s cooperation into account in declining to seek a penalty in excess of $35 million.
This proceeding is the first instance in which a company has settled Securities Act fraud charges with the SEC for failing to disclose a data breach.