[BreachExchange] SEC Cyber Unit Brings Groundbreaking Data Breach Case

[Audrey McNeil]

https://www.natlawreview.com/article/sec-cyber-unit-brings-
groundbreaking-data-breach-case

On April 24, 2018, the Securities and Exchange Commission (SEC) announced
its most significant case ever filed against a respondent for one of the
world’s largest data breaches. Albata, Inc., f/d/b/a Yahoo! Inc., (“Yahoo”)
settled with the SEC to charges of violating Section 17(a)(2) and 17 (a)(3)
of the Securities Act of 1933 (“Securities Act”), amongst other charges,
and agreed to various remedies, including a $35 million penalty.

In summary, the SEC alleged that in December of 2014 Yahoo’s information
security team learned that Russian hackers stole what was referred to
internally as the company’s “crown jewels”: usernames, email addresses,
phone numbers, birthdates, encrypted passwords, and security questions and
answers for more than 500 million users. Although information relating to
the breach was reported to members of Yahoo’s senior management and legal
department, Yahoo failed to properly investigate the circumstances of the
breach and to adequately consider whether the breach needed to be disclosed
to investors. In addition, the SEC found that Yahoo did not share
information regarding the breach with its auditors or outside counsel in
order to assess the company’s disclosure obligations in its public filings.

The breach was not disclosed to the investing public until more than two
years later, when in 2016 Yahoo was in the process of closing the
acquisition of its operating business by another company. This disclosure
caused a $1.3 billion fall in Yahoo’s market capitalization and a reduction
in the acquisition price by $350 million.

As a result, the SEC’s order found that in Yahoo’s quarterly and annual
report filings during the two-year period following the breach, the company
failed to disclose the breach or its potential business impact, legal
implications, and other potential ramifications. Finally, the SEC’s order
finds that Yahoo failed to maintain disclosure controls and procedures
designed to ensure that reports from Yahoo’s information security team
concerning cyber breaches, or the risk of such breaches, were properly and
timely assessed for potential disclosure.

In conclusion this SEC action provides several takeaways:

– This may be one of the first, but it will not be the last data breach
case by the Division of Enforcement’s Cyber Unit created in September of
2017.

– The SEC charged Yahoo with fraud, but not with Rule 30(a) of Regulation
S-P of the Securities Act. Historically, the SEC used the latter statute as
the primary charge for data breaches. While these fraud charges against
Yahoo are more aggressive, Section 17(a)(2) and (a)(3) are non-scienter
based charges.

– Notably, the SEC did not charge any individuals.

– A study of the findings in the SEC’s order coupled with the Commission
Statement and Guidance on Public Company Cybersecurity Disclosures
announced on February 21, 2018, provides guidance for public companies and
registrant firms to consider when assessing their cybersecurity programs,
controls, policies and procedures, and disclosure obligations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180427/9d1fe81f/attachment.html>