On April 24, the Securities and Exchange Commission (SEC) announced a settlement with the Altaba, Inc., formerly known as Yahoo! Inc., worth $35 million. The figure settled charges that the company deliberately misled investors by waiting a full two years to release information about a data breach that resulted in hackers gaining access to personal data connected to 500 million user accounts.
The settlement is a groundbreaking moment, as it’s the first time the SEC has ever initiated a cyber-disclosure enforcement action against a public company. This sheds some interesting light on how the SEC views the cybersecurity disclosure obligations of these companies and gives large corporations a greater idea of what’s expected out of them.
What to take away from the case
By showing a focus on cybersecurity, the SEC demonstrates its overall commitment to safety on the internet. The ruling in this case emphasizes that if a company becomes aware of a significant data breach, disclosing the possible risk of an attack could be misleading to its investors. Still, the order does not require immediate public disclosure of all data breaches.
In the SEC’s 2018 Guidance, it said “a company may require time to discern the implications of a cybersecurity incident,” but that “an ongoing internal or external investigation — which often can be lengthy — would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
Therefore, there is still an element of good faith left to companies with regard to how they operate in data breach situations. These companies can use their best judgment with how to proceed in a situation and the type of response they issue. But if the way they proceed misleads investors or harms consumers, the SEC will come down on them hard.
For more information on the effect of this SEC settlement with Yahoo, meet with a skilled Dallas whistleblower attorney at Kardell Law Group.