On April 24, 2018, the Securities Exchange Commission (SEC) announced a $35 million fine against the company formerly known as Yahoo! Inc. (now known as Altaba, Inc.) for failing to disclose a massive cyber data breach to its investors for nearly two years. This is the first time the SEC has punished a company for such conduct.
In 2014, Russian hackers stole sensitive data from 500 million Yahoo user accounts including usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers. When Yahoo learned about this, it “sat on” the information for over two years until it publicly revealed the breach when it was closing the sale of its core business to Verizon. Yahoo also subsequently revealed that it suffered an earlier data breach in 2013, which had impacted all 3 billion of its accounts. Yahoo ended up having to give Verizon a $350-million discount on their deal due to the data breaches.
According to the SEC, the 2014 breach was reported to members of Yahoo’s senior management and legal department, but the company failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” said Jina Choi, Director of the SEC's San Francisco Regional Office.
The SEC indicated that is actions against Yahoo were due to the egregiousness of Yahoo’s failure to respond to the data breach. “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case,” said Steven Peikin, Co-Director of the SEC Enforcement Division.
Companies should learn from Yahoo’s mistakes. While companies should take the necessary steps to protect itself, its employees and its customers against data breaches, breaches can still occur. When they do happen, the worst thing a company can do is “stick its head in the sand” or try to cover it up. As Yahoo discovered, doing so can result in hefty government fines as well as other negative financial consequences. Companies should be prepared to implement a quick, effective and legally compliant response to data breaches, which includes making the necessary disclosures to affected parties. Although admitting your company has been hacked can be painful, failing to do so will be even more so.