May 04, 2018
Cadwalader partner Joseph Moreno was quoted in a recent story in The Cybersecurity Law Report on Yahoo’s $35 million settlement with the SEC for failing to disclose a 2014 personal data breach impacting more than 500 million user accounts.
The Cybersecurity Law Report reported that Altaba, formerly Yahoo, agreed to pay the fine to settle charges that it misled investors by not informing them of the hack until September 2016, despite knowing of it as early as December 2014.
Moreno, who leads Cadwalader’s Cybersecurity and Data Protection practice, told The Cybersecurity Law Report, “Yahoo’s nearly two-year delay in making the breach known to investors, the vast number of users affected, and the company’s issuance of numerous public filings that failed to mention the breach made [it] a prime candidate for the SEC to make an example of.”
The article noted that the company didn’t disclose the breach until after its sale to Verizon was already under way. Verizon ultimately negotiated a $350 million decrease in the acquisition price due to Yahoo’s poor cybersecurity and incident response.
Said Moreno, “The fact that Yahoo was an internet technology company and should have had its cybersecurity ducks in a row makes the breach all the more impactful, and therefore, all the more likely to be considered material by investors and the SEC.”
The proceeding follows the SEC’s recent release of updated cybersecurity disclosure guidance for reporting companies and reinforces the fact that the agency is focused on companies' cybersecurity disclosure practices.
We have provided a compendium of our materials to help you navigate this unprecedented environment.