[BreachExchange] SEC's Yahoo Probe Could Set a Precedent, Defense Lawyers Say

[Audrey McNeil]

http://www.nationallawjournal.com/id=1202777476370/SECs-
Yahoo-Probe-Could-Set-a-Precedent-Defense-Lawyers-Say

While the U.S. Securities and Exchange reportedly investigates whether
Yahoo Inc. should have disclosed two massive data breaches to investors
earlier, corporate defense attorneys who are not involved with the matter
say any charges would mark the first SEC case involving failure to disclose
a data breach to shareholders.

The investigation, reported first by The Wall Street Journal, will examine
whether Yahoo broke securities laws when it waited until 2016 to disclose
two data breaches in which more than a billion users had their data
compromised.

Yahoo declined to comment on the reports of an SEC investigation beyond a
November 2016 10Q securities filing in which the company said it is
“cooperating with federal, state and foreign government officials and
agencies seeking information and/or documents” about the breach, including
the SEC. The commission also declined to comment Monday.

Corporate Counsel reported in September 2016 that a late-2014 cyberattack
had caused a breach of at least 500 million Yahoo user accounts. In
December 2016, the tech giant revealed that a separate but even bigger
breach—of more than 1 billion accounts— had also taken place starting in
August 2013, according to The New York Times.

Disclosure of the data breaches came in the midst of an effort by Verizon
Communications Inc. to acquire Yahoo.

The delays in reporting prompted some to question why Yahoo didn’t speak up
about the breaches sooner. U.S. Sen. Mark Warner, D-Virginia, wrote to
former SEC Chair Mary Jo White in September 2016 asking her to investigate,
sibling publication the National Law Journal reported.

Attorneys who represent companies in securities and data breach matters
said Yahoo’s situation underscores challenges public companies face knowing
what to say in their disclosures and when to say it.

Robert Cattanach, a partner at Dorsey & Whitney in Minneapolis who
represents companies in cybersecurity matters said it’s possible—depending
on the specific facts—the Yahoo matter could be a good test case for the
SEC. But he cautioned that from a company perspective, it can take weeks or
months to gather enough information about a breach and the information that
was compromised in an incident to disclose it accurately.

“I can promise you that there are so many different open questions when you
are in the middle of one of these [data breaches], your head is just
swimming,” he said. “So the fact that [Yahoo] waited a while before
[disclosing] is in many ways understandable, but from the SEC perspective:
you don’t get forever.”

Craig Newman, a partner at Patterson Belknap Webb & Tyler in New York, who
represents clients in complex financial litigation and cybersecurity
matters, said companies are between “the proverbial rock and hard place”
during a breach, because “they don’t want to jeopardize law enforcement
efforts, they don’t want to jeopardize investigations, but at the same
time, securities laws require them to be transparent with their own
investors.”

Newman added that the commission’s guidance on cybersecurity and
disclosures, which was published in 2011, does not provide any direction as
to how long companies should take before disclosing.

Although the commission hasn’t created a timeline for disclosure, most
states have data-breach disclosure laws that include a time frame, some
giving companies 45 days, for instance, to disclose. But attorneys say the
clock can be stopped on these laws when there is a confidential law
enforcement investigation involved.

Daniel Hawke, a partner at Arnold & Porter in Washington, who represents
companies in securities matters and is a former chief of the SEC
Enforcement Division’s Market Abuse Unit, said the question of disclosure
is complicated by the fact that in some cases, hackers or others committing
the data breach might actually want to see it become public knowledge.

“If you disclose you’ve been a victim of a hack,” Hawke said “the very
purpose of that disclosure might be to drive the stock price down as the
hackers are prepositioned in front of negative news with the short
position.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170124/77c63de4/attachment.html>