SEC Wallops Yahoo With $35M Penalty Over Breach Disclosures—or Lack Thereof

[caption id="attachment_1413" align="alignnone" width="616"]

Yahoo corporate headquarters[/caption] The company formerly known as Yahoo Inc. has agreed to pay $35 million to settle SEC claims that it misled investors about a 2014 data breach that affected more than 500 million of its user accounts. Yahoo employees learned of the breach of users’ data, including usernames, birth dates and telephone numbers, in late 2014, but didn't disclose anything about it until after the 2016 announcement that the company's operating assets would be acquired by Verizon Communications Inc., according to the U.S. Securities and Exchange Commission. The SEC claims that Yahoo's financial disclosures, including its quarterly and annual filings from 2014 through 2016, were "materially misleading" since they only mentioned potential risks associated with future breaches without disclosing that "the largest known theft of user data" had already occurred. The SEC also claims that Yahoo's stock purchase agreement with Verizon, which was filed with the SEC in July 2016, falsely denied the existence of any significant data breaches. Yahoo announced in a March 2017 filing with the SEC that certain senior executives at the company and members of its legal team “had sufficient information to warrant substantial further inquiry” about the breach as early as 2014. The company announced the resignation of then-general counsel Ron Bell the same day as the filing. The company, which has changed its name to Altaba Inc. since Verizon acquired its operating business, neither confirmed nor denied the SEC's allegations as part of the settlement. The company's lawyers, Craig Martin and Jordan Eth of Morrison & Foerster, didn't immediately respond to messages. In a press release announcing the deal, Steven Peikin, co-director of the SEC Enforcement Division, said the agency doesn't "second-guess good faith exercises of judgment about cyber-incident disclosure." "But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” Peikin said. Jina Choi, the director of the SEC regional office which handled the Yahoo investigation, added that “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach." The SEC's investigation was conducted by Tracy Combs with the agency's Cyber Unit and supervised by Jennifer Lee and Erin Schneider in the San Francisco office. Tuesday's announcement comes after shareholders represented by lawyers at Pomerantz and Glancy Prongay & Murray agreed to an $80 settlement last month over claims that Yahoo misled them about a series of four data breaches that affected as many as 3 billion accounts. That proposed deal still requires a sign-off from U.S. District Judge Lucy Koh in San Jose, who is overseeing the investor suit as well as multidistrict litigation targeting Yahoo with claims on behalf of users whose data was stolen. Yahoo is represented in the MDL by Gibson, Dunn & Crutcher and HuntonAndrews Kurth. Reached by email Tuesday, John Yanchunis of Morgan & Morgan, lead plaintiffs counsel in the MDL, said it was hard to tell how the SEC deal might bear on the case he's handling. "It at the very least demonstrates a desire to resolve claims arising from the data breach," he said. "And our case now is the only one that remains."