SEC Reaches Settlement in First Enforcement Action Involving Failure to Disclose Data Breach with Material Impact

Fenwick securities enforcement co-chair Michael Dicke spoke with The Recorder about the $35 million settlement between Yahoo—now known as Altaba—and the U.S. Securities and Exchange Commission to settle claims that the company misled investors about a 2014 data breach that affected more than 500 million user accounts.

According to the SEC, in late 2014, Yahoo employees learned of the breach, but the company did not disclose anything about it until after the announcement that the company’s operating assets would be acquired by Verizon in 2016.

Dicke, formerly the head of enforcement for the SEC’s San Francisco regional office, pointed out that this is the agency’s first enforcement action against a company accused of failing to disclose a breach that had a material impact of the company’s financial performance.

He mentioned the SEC’s underlying order specifically noted that Yahoo’s breach response plan failed to consider whether the company had a duty to disclose material information about a breach to the market and that the company did not share this information with its auditors or outside counsel.

“[While a company] has to have lots and lots of technical support as part of the plan, you really have to have someone on the primary [incident] response team with the ability to assess the disclosure issues,” Dicke told The Recorder.

The full article is available on The Recorder (subscription required).​​​​​​​​