The Securities and Exchange Commission settled charges this week with the company formerly known as Yahoo for its failure to disclose a massive data breach the company suffered in 2014 — giving compliance officers useful insights into the poor breach disclosure practices that can put you in the SEC’s crosshairs.
Until now, the SEC had never sanctioned a company over cybersecurity lapses. We’ve seen many speeches and pronouncements from SEC officials stressing the importance of cybersecurity; plus two batches of guidance (in 2011 and 2018) describing the disclosure duties companies have under federal securities law.
Still, an enforcement order (and $35 million in penalties to boot) goes a long way to getting a board’s attention. So what can compliance officers glean from the case as you talk to your boards about proper data breach and cybersecurity policy?
Above all, disclosure controls and procedures matter. That was a central message of the SEC’s most recent cybersecurity guidance, issued in February. Companies should have controls in place to detect data breaches, assess their severity, and then disclose relevant facts about material breaches to the investing public.
According to the SEC’s complaint, that’s not what happened at Yahoo at all. The breach, of 500 million customer records, happened sometime in late 2014. Yahoo didn’t disclose details of the incident until mid-2016, when it was in the middle of selling itself to Verizon.
Instead, Yahoo merely filed the same disclosures in one quarterly filing after another, that cybersecurity was a risk in general “and we may incur significant legal and financial exposure” from breaches that happened. (Now that’s how you do understatement.)
Yahoo knew within days that the breach was major — the “crown jewels,” as the IT security team phrased it, of users’ names, birth dates, phone numbers, and the like. Yahoo’s head of information security had also relayed those details to senior management immediately.
Then Yahoo withheld that information for nearly two years. Perhaps most telling was this line from the SEC’s complaint:
“Yahoo’s senior management and legal teams did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.”
That comes across as Yahoo managers reluctant to expose their thinking to objective, external scrutiny. Even if a corporate compliance officer might not opine on an incident like this, the decision withhold discussion from other advisers gets to the spirit of what effective compliance and internal control is all about — a willingness to have objective assessments of corporate conduct. Yahoo missed that mark.
On a practical level, we can say this enforcement action shows that the SEC is ready to punish companies that mishandle cybersecurity breaches. We just need to remember what “mishandle” means in this context: that senior executives withhold information a reasonable investor would want to know.
That’s not the same standard as required under consumer protection laws, from the GDPR down to state breach disclosure laws. Those thresholds might be more painful, but they are clear cut.
Disclosure of cybersecurity incidents under SEC investor protection rules has been a lot more murky. Now we have at least one example of what not to do.
Then again, Yahoo’s decision to keep quiet for nearly two years about one of the largest breaches in history will strike most people as egregious, hence, the $35 million penalty. If your board’s instinct is to assume the same defensive crouch amid bad news, you may have big problems on your hands anyway.