Yahoo continues to pay the price for its 2014 data breach

In brief

Yahoo has recently come under fire from both the United States Securities and Exchange Commission (US SEC) and the United Kingdom Information Commissioner's Office (UK ICO) for delays in the disclosure of its 2014 data breach to investors, and for 'systematic' and 'material inadequacies' in Yahoo UK's approach to safeguarding data. This article outlines the findings of the US SEC and UK ICO and key learnings for companies in relation to disclosures of known data breaches and expectations regarding the safeguarding of data.

Key takeaways

In relation to the delayed disclosure of the breach:

• Securities regulators globally are focussing their attention on the adequate and transparent disclosure of cybersecurity incidents and data breaches. Yahoo's US$35 million settlement with the US SEC is the first enforcement action by the US SEC alleging a company's failure to disclose a data breach violated federal securities laws. The enforcement action comes after the US SEC published its interpretative guidance on public company cybersecurity disclosures (the Guidance) in February 2018.¹ The Guidance was considered a strong indication that the US SEC would be closely scrutinising public company responses to cybersecurity incidents. For more on continuous disclosure obligations in an Australian context, see our article Coming Clean: Continuous disclosure obligations in the age of the data breach.
• Failure to disclose a known data breach in a company's annual report may be considered misleading. The US SEC highlighted that Yahoo's company reports only identified data breaches as a potential future risk. In its Guidance, the US SEC explained that where a company has suffered a cybersecurity incident it would be insufficient to disclose that a risk of that kind may arise in future. Instead, to meet its disclosure obligations, companies are expected to disclose the occurrence and consequences of the incident, and engage in a broader discussion of other potential cybersecurity incidents which pose a particular risk to the company.²

Unlike in the US, Australian listed companies do not have similar guidance on cybersecurity-specific disclosure obligations. However, in light of recent global developments, it has been suggested that the next version of the ASX Corporate Governance Principles and Recommendations may provide more specific guidance in this area.³

• A discussion of the board's role in overseeing the management of material cybersecurity risks should form part of a company's disclosure obligations. According to the US SEC's Guidance, disclosure about the board's involvement in the oversight of the risk-management process should provide information to investors about how senior management are managing the material risks facing the company. Management of cybersecurity risks is becoming increasingly important for companies and by extension, disclosure surrounding how the board is overseeing those risks is necessary because these issues are becoming increasingly relevant for investors.
• Companies should be mindful of the laws on insider trading where there has been a cybersecurity incident. A new issue raised that did not form part of the US SEC's 2011 guidance was a discussion around insider trading laws. The Guidance now states that companies should ensure their insider trading policies prohibit trading when in possession of material, non-public information regarding cybersecurity risks and incidents. Further, investigation of a potential cybersecurity incident may warrant restrictions being imposed on trading in the company's securities.⁴ Prior to public disclosure of a cybersecurity incident, information regarding the incident would likely be considered material in light of the significant impact cybersecurity breaches are having on companies share prices. A consideration of this issue is likely to also be an important consideration in an Australian context.

In relation to inadequacies in Yahoo's approach to safeguarding the data:

• Companies should be careful to ensure adequate intercompany agreements and policies are in place that deal with the security measures required to protect personal information. The UK ICO found Yahoo UK as 'data controller' of Yahoo failed to comply with Data Protection Act 1998 (the 1998 Act) by ensuring Yahoo complied with the 1998 Act. Australian privacy law imposes similar obligations on entities. In Australia, APP 8 requires an APP entity to take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.⁵ Generally speaking, 'reasonable steps' will often involve the parties entering into a contractual arrangement that requires the recipient of the information handle the personal information in accordance with the APPs.⁶ However, what is ultimately deemed to constitute 'reasonable steps' and whether that requires a contract to be entered into, will depend on a number of factors, including the nature of the personal information, the relationship between the parties and the practicability of entering into a formal contract.

About the breach

Yahoo's security team suspected, and subsequently confirmed, that the company had suffered a 'severe and widespread'⁷ data breach in late 2014. Despite this, Yahoo failed to disclose the data breach until 2016, when it was in the process of closing its acquisition by Verizon. Yahoo admitted that data from at least 500 million user accounts had been stolen from the company's network in late 2014 by a state-sponsored actor.

For more information on this data breach, see our earlier article Spotlight: Cyber Breach at Yahoo.

US SEC findings

On 24 April 2018, the US SEC announced that Altaba, formerly known as Yahoo, has agreed to pay a US$35 million penalty to settle claims for their failure to disclose the 2014 data breach. Yahoo did not admit or deny any wrongdoing.

The US SEC's claim centred on Yahoo's failure to disclose the circumstances of the breach to investors who were left 'totally in the dark'.⁸ This settlement is the first enforcement action by the US SEC alleging a company's failure to disclose a data breach violated the federal securities laws.

The US SEC found that Yahoo's conduct in the period following the breach materially misleading in a number of ways:

• Company reports filed during the two-year period prior to disclosure did not state the company had suffered a data breach. Instead, the reports identified the company faced the risk and negative effects that might be expected to flow from a future data breach.
• Yahoo denied the existence of any significant data breaches in an agreement between Yahoo and Verizon, which was publicly-filed with the US SEC.
• SOX certifications stating that Yahoo had effective disclosure controls and procedures were false. Yahoo failed to maintain disclosure controls and procedures to ensure data breaches, and possible data breaches, were properly and timely assessed for potential disclosure.

The US SEC stated that it did not intend to undermine cyber-incident disclosures where decisions to disclose (or not disclose) had been made in good faith. Yahoo's response was considered 'so lacking',⁹ falling 'substantially short of expectations'¹⁰ that the circumstances warranted enforcement action. Co-director of the US SEC enforcement division, Steven Pilkin, said he 'hoped companies facing similar issues would take note'¹¹ of the action taken against Yahoo.

The US SEC investigation is ongoing. It has been suggested that a 'likely avenue' of the US SEC's ongoing investigation will focus on whether there are any individuals who could be subject to personal liability for these failures.¹²

UK ICO findings

On 21 May 2018, the UK ICO fined Yahoo UK £250,000 for violations of the 1998 Act, in relation to the same 2014 data breach.

This investigation was carried out before the General Data Protection Regulation (the GDPR) came into effect. Under the 1998 Act, the maximum fine was 500,000 pounds. Under the GDPR, entities may be subject to much greater fines. For more information on the impact of the GDPR on Australian businesses, see our article Shakeup to EU Data Protection Regulations – Impact on Australia Businesses.

The UK ICO focused its investigation on the 515,000 UK accounts that were affected. These accounts were overseen by Yahoo UK as the 'data controller' for Yahoo. The investigation found that Yahoo UK:

• failed to ensure appropriate systems were in place to protect the credentials of Yahoo employees with access to the personal data of Yahoo UK customers from being compromised;
• failed to ensure the above measures were in place prior to the 2014 breach. This was held to contravene the seventh data protection principle which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data; and
• did not take steps to ensure that Yahoo complied with the standards imposed by the seventh data protection principle. It did not:
  • enter into a written contract with Yahoo, as required by law; or
  • give any instructions to Yahoo as to the steps it should take to protect the data of which Yahoo UK was the data controller.

In considering the penalty to be imposed, the Commissioner held that there were 'systematic' and 'material inadequacies' in Yahoo UK's approach to safeguarding data with 'no satisfactory explanation' provided to defend against those inadequacies. As a large, well-resourced and experienced data controller, Yahoo UK had the resources to implement a more appropriate approach to data protection.¹³