On April 24, the SEC ordered a global internet media company, acquired in 2017 by a global communications company, to pay $35 million to settle claims alleging that the company failed to disclose a 2014 cybersecurity breach in which Russian hackers stole data from over 500 million user accounts. Compromised private user information included usernames, email addresses, phone numbers, birthdates, passwords, and security questions and answers. According to the SEC’s cease-and-desist order, during the two years following the breach, the internet media company (i) failed to inform outside counsel or auditors of the breach in order to assess public filing disclosure obligations; (ii) failed to maintain internal disclosure controls and procedures designed to guarantee that the company’s information security team reports addressing actual data breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure; and (iii) made misleading statements in its public filings that warned investors only of the “risk of potential future data breaches” without disclosing the 2014 data breach. The SEC claimed that the disclosure violations continued as acquisition discussions were held in 2016 and resulted in renegotiation of the terms of the company’s sale, including a 7.25 percent reduction in price. The company ultimately disclosed the breach to the public in September of 2016. In agreeing to the settlement, the company neither admitted nor denied the SEC’s findings, except as to the SEC’s jurisdiction over the matter.