Yahoo! Order Is SEC’s First Cyber-Disclosure Enforcement Action

On April 24, the Securities and Exchange Commission charged Altaba Inc., formerly Yahoo! Inc., with misleading shareholders by waiting almost two years to disclose its 2014 data breach. Consenting to a cease-and-desist order, Altaba agreed to pay a $35 million penalty in the first SEC enforcement action against a public company relating to cyberbreach notification. The SEC’s action follows a trend by state attorneys general and other regulators in exacting significant penalties from companies that fail to provide timely breach notification. Yahoo! previously reached an $80 million settlement to resolve a class-action securities case for failure to disclose the breach, and currently faces a class-action lawsuit by users who claim their information was stolen.

The SEC’s order provides helpful insight into when it will view a company’s cybersecurity disclosures as warranting enforcement action.

If you have any questions regarding the matters covered in this publication, please reach out to any of the lawyers listed below or your usual Davis Polk contact.

This communication, which we believe may be of interest to our clients and friends of the firm, is for general information only. It is not a full analysis of the matters presented and should not be relied upon as legal advice. This may be considered attorney advertising in some jurisdictions. Please refer to the firm's privacy notice for further details.

Related materials

Read the full update
Copy link to share post