On 24 April 2018, the SEC instituted a settled administrative proceeding against Altaba Inc., f/d/b/a Yahoo! Inc. (Yahoo!) for allegedly failing to disclose a significant data breach that affected its user accounts, in violation of Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act. The SEC imposed a $35 million penalty on Yahoo!, which neither admitted nor denied the SEC's findings.

Yahoo! provides more than a billion users worldwide with Internet search services, emails, and digital content. According to the SEC, in late 2014, Yahoo! learned of a breach in its user database that resulted in the theft of hundreds of millions of its users' personal data, including usernames, telephone numbers, dates of birth and passwords. Although the company's senior management was notified of the breach, Yahoo!'s auditors and outside counsel were not, and Yahoo!'s internal disclosure controls did not mandate that the breach be assessed to determine whether or how it should be disclosed. Accordingly, this data breach was never disclosed in various reports that the company filed with the SEC from 2014 through 2016—including in its Form 10-Q and 10-K filings in 2015. Instead, Yahoo!'s reports disclosed only that security breaches were a potential risk factor. Similarly, during talks with Verizon Communications, Inc. (Verizon) regarding the sale of Yahoo!'s operating business, Yahoo! did not disclose the 2014 data breach when addressing past instances in which users' data were exposed. When Yahoo! publicly disclosed the breach in a press release attached to its September 2016 Form 8-K, its stock price dropped by 3%—a market capitalization loss of nearly $1.3 billion. The company was also forced to reduce the price Verizon paid for its business by $350 million.

The SEC contended that Yahoo! violated Sections 17(a)(2) and (a)(3) of the Securities Act and Section 13(a) of the Exchange Act by failing to disclose the 2014 data breach in reports filed with the SEC, and by failing to maintain controls that ensured the breach would be evaluated for inclusion among Yahoo!'s disclosures. As a result, the SEC required Yahoo! to pay a $35 million civil monetary penalty. Yahoo! agreed not to contest any of the findings in the  SEC's order and undertook to aid and co-operate in the SEC's ongoing investigation. The SEC noted that it took Yahoo!'s cooperation into account in declining to seek a penalty in excess of $35 million.

This proceeding is the first instance in which a company has settled Securities Act fraud charges with the SEC for failing to disclose a data breach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.