On the heels of the Securities and Exchange Commission (SEC) February 20, 2018 guidance on cybersecurity-related disclosures, the SEC imposed its first data breach related enforcement penalty. It should come as no surprise that the SEC’s first penalty was levied against Yahoo arising from its massive 2014 data breach. The $35 million penalty was, as the SEC stated in its April 24 press release, intended “to settle charges that [Yahoo] misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”
Significantly, the SEC’s order found that Yahoo’s public disclosures in the period following the data breach were misleading in several ways, including the disclosure of its risk factors. The SEC found that the disclosures were inadequate because Yahoo: (1) it failed to disclose that the widespread breach occurred; (2) failed to disclose the breach in its annual and quarterly reports discussion of trends or uncertainties facing the company; (3) failed to disclose its breach to its auditors and outside counsel; (4) failed to maintain adequate disclosure controls and procedures designed to ensure reports from its information security team were properly and timely assessed to determine the disclosure requirements for breaches; and (5) filed its 8k attaching the stock purchase agreement between Yahoo and Verizon, which denied any data breaches. The SEC press release quoted Co-Director, Steven Peiken, of the SEC Enforcement Division, who stated that the SEC “do[es] not second-guess good faith exercises of judgment about cyber-incident disclosure.” Peiken continued that the SEC “ha[s] also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
There are several takeaways from the SEC’s first plunge into the world of data-breach disclosure penalties, but two stand out. First, from a data-breach response perspective, it is imperative to add corporate disclosure obligations to the checklist for any disclosure requirements under state, and federal securities laws. This includes controls to ensure adequate disclosures in all periodic filings in addition to those disclosures in the company’s quarterly and annual reports. Second, the SEC may target individual officers or directors for their personal liability in failing to disclose the breach, senior executives should be wary to document any such breaches and the actions they take after they learn of the breach. Indeed, the SEC stated in its order that its investigation is ongoing, which signals the SEC might be pursuing personal liability against corporate executives for their part in the disclosure failures, or may even be investigating individuals for insider trading. Either way, it seems like the SEC will pursue both the entity and the individuals, perhaps in an effort to make company employees, executives, and directors more accountable for disclosing data breaches.