While the U.S. Securities and Exchange reportedly investigates whether Yahoo Inc. should have disclosed two massive data breaches to investors earlier, corporate defense attorneys who are not involved with the matter say any charges would mark the first SEC case involving failure to disclose a data breach to shareholders.
The investigation, reported first by The Wall Street Journal, will examine whether Yahoo broke securities laws when it waited until 2016 to disclose two data breaches in which more than a billion users had their data compromised.
Yahoo declined to comment on the reports of an SEC investigation beyond a November 2016 10Q securities filing in which the company said it is “cooperating with federal, state and foreign government officials and agencies seeking information and/or documents” about the breach, including the SEC. The commission also declined to comment Monday.
Corporate Counsel reported in September 2016 that a late-2014 cyberattack had caused a breach of at least 500 million Yahoo user accounts. In December 2016, the tech giant revealed that a separate but even bigger breach—of more than 1 billion accounts— had also taken place starting in August 2013, according to The New York Times.
Disclosure of the data breaches came in the midst of an effort by Verizon Communications Inc. to acquire Yahoo.
The delays in reporting prompted some to question why Yahoo didn’t speak up about the breaches sooner. U.S. Sen. Mark Warner, D-Virginia, wrote to former SEC Chair Mary Jo White in September 2016 asking her to investigate, sibling publication the National Law Journal reported.
Attorneys who represent companies in securities and data breach matters said Yahoo’s situation underscores challenges public companies face knowing what to say in their disclosures and when to say it.
Robert Cattanach, a partner at Dorsey & Whitney in Minneapolis who represents companies in cybersecurity matters said it’s possible—depending on the specific facts—the Yahoo matter could be a good test case for the SEC. But he cautioned that from a company perspective, it can take weeks or months to gather enough information about a breach and the information that was compromised in an incident to disclose it accurately.
“I can promise you that there are so many different open questions when you are in the middle of one of these [data breaches], your head is just swimming,” he said. “So the fact that [Yahoo] waited a while before [disclosing] is in many ways understandable, but from the SEC perspective: you don’t get forever.”
Craig Newman, a partner at Patterson Belknap Webb & Tyler in New York, who represents clients in complex financial litigation and cybersecurity matters, said companies are between “the proverbial rock and hard place” during a breach, because “they don’t want to jeopardize law enforcement efforts, they don’t want to jeopardize investigations, but at the same time, securities laws require them to be transparent with their own investors.”
Newman added that the commission’s guidance on cybersecurity and disclosures, which was published in 2011, does not provide any direction as to how long companies should take before disclosing.
Although the commission hasn’t created a timeline for disclosure, most states have data-breach disclosure laws that include a time frame, some giving companies 45 days, for instance, to disclose. But attorneys say the clock can be stopped on these laws when there is a confidential law enforcement investigation involved.
Daniel Hawke, a partner at Arnold & Porter in Washington, who represents companies in securities matters and is a former chief of the SEC Enforcement Division’s Market Abuse Unit, said the question of disclosure is complicated by the fact that in some cases, hackers or others committing the data breach might actually want to see it become public knowledge.
“If you disclose you’ve been a victim of a hack,” Hawke said “the very purpose of that disclosure might be to drive the stock price down as the hackers are prepositioned in front of negative news with the short position.”