Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsSEC Issues First Fine for Delayed Data Breach Disclosure to Yahoo Remnant
Altaba has agreed to pay the U.S. Securities and Exchange Commission (SEC) $35 million for its delayed disclosure to investors around the December 2014 data breach of Yahoo.
It is the first enforcement action of its kind by the securities regulator, which has the power to fine publicly traded companies over their disclosures to investors. Privacy violation enforcement in the United States has typically been handled by the Federal Trade Commission under its Section 5 powers.
However, this fine should come as no surprise to many in the industry. The prevention of materially misleading disclosures to investors is a core mission of the regulator. The SEC has taken on a greater role in cybersecurity in particular in recent years. Cybersecurity is listed as a top priority for the SEC’s Division of Enforcement and the agency created a “Cyber Unit” as a dedicated unit to investigate cybersecurity intrusions and other online issues. It is also a high priority for the Office of Compliance Inspections and Examinations (OCIE), which conducts risk assessments and and looks at vulnerabilities at investment banks, brokers and other securities industry operators.
In February, the SEC issued new guidelines for public companies in the preparation of disclosures about cybersecurity risks and incidents. The SEC’s guidance on this issue is clear:
“Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”
The SEC statement and guidance provides a number of examples of laws that might require the disclose of a data breach. The guidance provides additional and updated information to the 2011 disclosure on this topic. There has been much speculation over the years about when and under what circumstances the first fine would be issued.
The SEC found that Yahoo knew that Russian hackers obtained personal information from Yahoo users a few days after it happened in December 2014, but didn’t tell the public until late in 2016. Altaba is the remnant corporation containing its investment in Alibaba and Yahoo Japan, left over after the sale for more than $4 billion of a large portion of Yahoo to Verizon. Altaba neither admitted or denied the SEC findings.
It is uncertain how many more enforcement actions we will get like this with the GDPR moving to a 72 hour rule for breach notifications and the United States considering additional privacy protections after the Facebook – Cambridge Analytica news. Still, this could be a hot area for SEC enforcement given the number of data breaches that have been happening.
Discover the Benefits of Privacy Management Software with Clarip
The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.
If California Consumer Privacy Act compliance in 2020 is on your radar, ask us about our CCPA software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
Other Blog Posts on Privacy Breaches:
More Privacy Breaches in Healthcare from Provider Leaks than Hackers
New PIPEDA Rules for Data Breach Reporting in Canada
Google Plus Privacy Breach: Europe to Investigate; Senator Blumenthal Calls for FTC Investigation
FTC Expands Uber Privacy Settlement Over 2016 Data Breach
