Altaba (Yahoo) Enters into Settlement with SEC to Pay $35 Million for Cybersecurity Breach Claim

On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the SEC, agreeing to pay $35 million amid allegations that Yahoo misled investors by failing to disclose its knowledge of the massive 2014 data breach that exposed personal data of over 500 million users. According to the SEC order, Yahoo’s senior management became aware of the hack days after the incident, but failed to properly investigate the breach or consider whether it should be disclosed to investors. The breach was disclosed in September 2016, when Verizon was closing its acquisition of Yahoo’s operating business. The SEC order also found that Yahoo kept the breach secret from external auditors and failed to maintain disclosure controls and procedures. This is the first time the SEC charged a public company for failure to disclose a cybersecurity breach. The updated Framework for Improving Critical Infrastructure Cybersecurity released on April 16, 2018 by the U.S. Commerce Department’s National Institute of Standards and Technology could provide pertinent guidance on cybersecurity, including authentication, risk assessment, and management of cybersecurity within the supply chain and vulnerability disclosure. While the Framework originally targeted critical infrastructure industries such as banking, energy and communications, it has since been widely adopted by companies of all sizes as well as all levels of government. The updated Framework is available here, and the SEC order is available here.