In the aftermath of the April 24, 2018, Securities and Exchange Commission (SEC) statement announcing its penalty against Altaba Inc., formerly Yahoo! Inc. (Yahoo!), for failing to timely report a massive data breach,1 reactions went from initial shock at the hefty size of the $35 million penalty to more lukewarm assessments based on the size of the penalty relative to the size of the $4.5 billion company. Lest there be any mistake, however, this penalty, and what it represents, is significantly noteworthy, particularly for the highest levels of public companies.
The SEC, and regulators across the US and the globe, are signaling their increased emphasis on transparency during and after breaches. While it can be difficult at times to determine whether and when regulatory notifications are required, not having a defined process in place to make those decisions, lacking appropriate escalation triggers, and defaulting to non-disclosure, may increasingly become expensive propositions.
The SEC found that while Yahoo! experienced a breach in both 2013 and 2014, the company neglected to disclose the breach until 2016, after the process to acquire it had already begun.2
The SEC further explained that the data breach of Yahoo!’s systems was discovered shortly after it occurred by the organization’s information security team.3 At that time, it was determined that Russian hackers gained access to usernames, encrypted passwords, phone numbers, birthdates and, importantly, security questions and answers, all of which can be used to launch further attacks.4
Upon further investigation, the SEC discovered that the information security team reported the data breach to members of both the Yahoo! legal department and upper management, but the company failed to take proper action to investigate the breach or notify its investors.5 Furthermore, Yahoo! failed to notify the acquiring company until months after the company had signed the deal to acquire it.6 While the acquisition went forward, the negative consequences were substantial: the purchase price decreased by $350 million, the CEO of Yahoo! at the time lost her bonus, and the General Counsel resigned.7
What is considered material?
Under SEC guidance, organizations must "take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion,"8 but there is no bright line rule on what constitutes materiality. Cyber events often evolve over time, especially when they come at the hands of determined and sophisticated adversaries like nation-states. In the frustrating middle ground between obviously insignificant and obviously significant, sound judgment and defined, written policies make all the difference.
Steven Peikin, Co-Director of the SEC Enforcement Division, concisely summed up the SEC’s enforcement position regarding materiality and the important role of policies and judgment when he stated, “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”9
Similarly, the Director of the SEC’s Division of Corporation Finance, William Hinman, also reflected on what happens when the SEC learns of a breach elsewhere. Before the House Committee on Financial Services, Hinman noted that when the SEC discovers, usually through news reports, that a data breach has occurred and no notification has been provided, the staff will contact counsel representing the organization at issue and ask to be walked through the analysis used to determine a material or immaterial data breach.10 No regulator likes to be surprised, and if they are calling you, you are already on the back foot.
What steps can be taken now?
During a breach is not the time to start reviewing policies. Instead, policies and procedures should be in place and refined well beforehand, and these documents should contain clear escalation triggers and a regulatory notification strategy, philosophy and process. Before regulators—and, increasingly, courts—the key is being able to demonstrate reasonableness, which is much more easily done when crisis decisions are made in line with pre-existing, well-thought-out policies. Accordingly, organizations help themselves the more they are able to “show their math” as to how the decision to disclose or not was made. As the Director of the SEC's San Francisco Regional Office added, “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach.”11
Ultimately, even for a $4.5 billion company, this $35 million fine can be a big deal, particularly as it prolongs the adverse reputational effects on the company and on the executives involved. There were no penalties assessed against individuals, but that day may yet come, whether in this case or similar cases.
The penalty also brings significant implications for other public companies. As any good prosecutor will tell you, if you have to ask the question whether to notify the defense, you should probably notify the defense. With the SEC, other regulators and courts taking a stronger view on notification, it is now time to ask whether this adage may be applied to your company’s breach notification strategy. There are certainly some breaches that do not rise to the level of materiality, but there are increasingly more that do, and regulators, like courts, do not often look favorably upon late disclosures.