WASHINGTON (Legal Newsline) — The Securities and Exchange Commission (SEC) announced April 24 that the entity formerly known as Yahoo! Inc. will pay $35 million after allegations of misleading investors following the one of the world's largest data breaches.
“We do not second-guess good faith exercises of judgment about cyber-incident disclosure,” Steven Peikin, co-director of the SEC Enforcement Division, said in a statement. “But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.”
According to the SEC, Yahoo failed to disclose the data breach after it occurred in December 2014. Russian hackers invaded Yahoo systems and stole user account information, including usernames, email addresses, phone numbers, birth dates, encrypted passwords for security questions and answers, for millions of user accounts. Senior management at Yahoo purportedly learned of the hack within days, yet the incident was not disclosed to the public until more than two years later.
“Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” Jina Choi, director of the SEC's San Francisco Regional Office, said in a statement. “Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.”