SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549
Pursuant to Section 13 OR 15(d)
of the Securities Exchange Act of 1934
Date of Report (Date of earliest event reported) April 24, 2018
(Exact name of registrant as specified in its charter)
(State or other jurisdiction
|140 East 45th Street, 15th Floor, New York, New York||10017|
|(Address of principal executive offices)||(Zip Code)|
Registrants telephone number, including area code (646) 679-2000
(Former name or former address, if changed since last report.)
Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions (see General Instruction A.2. below):
|☐||Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)|
|☐||Soliciting material pursuant to Rule 14a- 12 under the Exchange Act (17 CFR 240.14a- 12)|
|☐||Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))|
|☐||Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))|
Emerging growth company ☐
If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐
Section 7 - Regulation FD
Item 7.01 Regulation FD Disclosure.
On April 24, 2018, the Securities and Exchange Commission (the SEC) announced the settlement of its investigation of Yahoo! Inc., now known as Altaba Inc. (the Company), related to the Companys previously disclosed data breaches disclosed on September 22, 2016 and in the 2016 10-K filed on March 1, 2016. The SECs Order and press release announcing the resolution are furnished herewith as Exhibits 99.1 and 99.2.
The Company has agreed to settle with the SEC, without admitting or denying the allegations described in the SEC Order. The Order requires the Company to cease and desist from any further violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15. As part of the resolution, the Company also has agreed to pay a civil penalty in the amount of $35,000,000.
The information included in this Item 7.01 (including Exhibits 99.1 and 99.2) shall not be deemed filed for the purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the Exchange Act), or otherwise subject to the liabilities of that section, nor shall it be deemed incorporated by reference into any filing made by the Company under the Exchange Act or Securities Act of 1933, as amended, except as shall be expressly set forth by specific reference in such a filing.
Item 9.01 Financial Statements and Exhibits.
The following exhibits are furnished with this report on Form 8-K:
|99.2||SEC press release.|
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
|Date: April 25, 2018||By:|
|Title:||General Counsel and Secretary|
UNITED STATES OF AMERICA
SECURITIES AND EXCHANGE COMMISSION
SECURITIES ACT OF 1933
Release No. 10485 / April 24, 2018
SECURITIES EXCHANGE ACT OF 1934
Release No. 83096 / April 24, 2018
ACCOUNTING AND AUDITING ENFORCEMENT
Release No. 3937 / April 24, 2018
File No. 3-18448
ORDER INSTITUTING CEASE-AND-
DESIST PROCEEDINGS PURSUANT TO
SECTION 8A OF THE SECURITIES ACT
OF 1933 AND SECTION 21C OF THE
SECURITIES EXCHANGE ACT OF 1934,
MAKING FINDINGS, AND IMPOSING A
In the Matter of
ALTABA INC., f/d/b/a
The Securities and Exchange Commission (Commission) deems it appropriate that cease-and-desist proceedings be, and hereby are, instituted pursuant to Section 8A of the Securities Act of 1933 (the Securities Act) and Section 21C of the Securities Exchange Act of 1934 (Exchange Act), against Altaba Inc., f/d/b/a Yahoo! Inc. (Yahoo or Respondent).
In anticipation of the institution of these proceedings, Respondent has submitted an Offer of Settlement (the Offer) which the Commission has determined to accept. Solely for the purpose of these proceedings and any other proceedings brought by or on behalf of the Commission, or to which the Commission is a party, and without admitting or denying the findings herein, except as to the Commissions jurisdiction over it and the subject matter of these proceedings, which are admitted, Respondent consents to the entry of this Order Instituting Cease-and-Desist Proceedings Pursuant to Section 8A of the Securities Act of 1933 and Section 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order
(Order), as set forth below.
On the basis of this Order and Respondents Offer, the Commission finds1 that:
1. This matter concerns material misstatements and omissions by Yahoo, one of the worlds largest Internet media companies, regarding a 2014 data breach affecting more than 500 million of its user accounts. In late 2014, Yahoo learned of a massive breach of its user database that resulted in the theft, unauthorized access, and acquisition of hundreds of millions of its users data, including usernames, birthdates, and telephone numbers. At that time, the breach was the largest known theft of user data.
2. Despite its knowledge of the 2014 data breach, Yahoo did not disclose the data breach in its public filings for nearly two years. To the contrary, Yahoos risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches that might expose the company to loss of its users personal information stored in its information systems, as well as potential future litigation, remediation, increased costs for security measures, loss of revenue, damage to its reputation, and liability, without disclosing that a massive data breach had in fact already occurred. Yahoo managements discussion and analysis of financial condition and results of operations (MD&A) in those reports was also misleading to the extent it omitted known trends or uncertainties with regard to liquidity or net revenue presented by the 2014 data breach.
3. Yahoos disclosure violations continued in connection with a proposed sale of its operating business to Verizon Communications, Inc. (Verizon) in July 2016. Although Yahoo was aware of additional evidence in the first half of 2016 indicating that its user database had been stolen, Yahoo made affirmative representations denying the existence of any significant data breaches in a July 23, 2016 stock purchase agreement with Verizon, by which Verizon was to acquire Yahoos operating business for $4.825 billion. The stock purchase agreement was attached to a Form 8-K filed with the Commission on July 25, 2016.
4. In September 2016, Yahoo disclosed the 2014 data breach in a press release filed as an attachment to a Form 8-K and also disclosed the 2014 data breach to Verizon. The day after Yahoo publicly disclosed the breach, Yahoos market capitalization fell nearly $1.3 billion by virtue of a 3% decrease in its stock price. After Yahoo disclosed the 2014 data breach, Verizon renegotiated the stock purchase agreement to reduce the price paid for Yahoos operating business by $350 million, representing a 7.25% reduction in price.
5. Based on the foregoing conduct, and the conduct described herein below, Yahoo violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and Section 13(a) of the Exchange Act and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15 thereunder.
|1||The findings herein are made pursuant to Respondents Offer and are not binding on any other person or entity in this or any other proceeding.|
6. At all relevant times, Yahoo was a publicly traded Internet media company incorporated in Delaware with its principal place of business in Sunnyvale, California. Prior to June 16, 2017, Yahoos stock was registered with the Commission pursuant to Section 12(b) of the Exchange Act, and, at all relevant times, Yahoo was required to file reports with the Commission pursuant to Section 13 of the Exchange Act. Until June 19, 2017, Yahoo traded on the NASDAQ Global Select Market under the ticker YHOO. In connection with the sale of its operating business to Verizon, Yahoo changed its name to Altaba Inc. on June 16, 2017 and continued to have its common stock registered under Section 12(b) of the Exchange Act, but as a publicly traded non-diversified, closed-end management investment company incorporated in Delaware with its principal place of business in New York, New York. As of June 19, 2017, Altaba Inc. has traded on the NASDAQ Global Select Market under the ticker symbol AABA.
OTHER RELEVANT ENTITY
7. Verizon is a publicly traded telecommunications company incorporated in Delaware with its principal place of business in New York, New York. Verizons stock is registered with the Commission pursuant to Section 12(b) of the Exchange Act and is traded on the New York Stock Exchange and the NASDAQ Global Select Market under the ticker VZ. Verizon acquired Yahoos operating business on June 13, 2017 pursuant to a July 23, 2016 stock purchase agreement and reorganization agreement, and February 20, 2017 amendments to those agreements, executed by and between Verizon, Yahoo, and Yahoo Holdings, Inc. (Yahoo Holdings), a wholly-owned subsidiary of Yahoo.
Yahoos Disclosures Regarding Data Breaches
8. At all relevant times, Yahoo was one of the worlds largest Internet media companies, providing over a billion users worldwide with an array of products and services, including Internet searching capabilities, communications services, including Internet-based email, and digital content products, such as Yahoo News and Yahoo Finance. Yahoos products and services involved the storage and transmission of its users personal information in its facilities and on its equipment, networks, and corporate systems.
9. As an Internet media company, Yahoo made certain risk factor disclosures pertaining to potential data breaches in its annual reports on Form 10-K for the fiscal years ended December 31, 2014 and December 31, 2015, and in its quarterly reports on Form 10-Q for the first three quarters of 2015 and the first two quarters of 2016.2 These disclosures included the
|2||Item 1A of Part 1 of Form 10-K requires an issuer to set forth, under the caption Risk Factors, the risk factors described in Item 503(c) of Regulation S-K [17 C.F.R. § 229.503(c)] which are applicable to the issuer. Item 1A of Part 2 of Form 10-Q requires an issuer to set forth any material changes from the risk factors as previously disclosed in response to Item 1A to Part 1|
following header concerning security breaches: If our security measures are breached, our products and services may be perceived as not being secure, users and customers may curtail or stop using our products and services, and we may incur significant legal and financial exposure. The disclosures also stated that Yahoos products and services involve the storage and transmission of Yahoos users and customers personal and proprietary information in our facilities and on our equipment, networks and corporate systems, and that [s]ecurity breaches expose us to a risk of loss of this information, litigation, remediation costs, increased costs for security measures, loss of revenue, damage to our reputation, and potential liability. The companys risk factor disclosures were incorporated by reference into registration statements on Form S-8 filed with the Commission on September 9, 2009 and September 11, 2014 that registered Yahoos sales of its common stock under its employee stock purchase and option plans,3 pursuant to which Yahoo received approximately $384 million in cash proceeds in 2014, 2015, and 2016.
10. In the summer of 2016, Yahoo engaged in negotiations to sell its operating business to Verizon. In response to queries regarding past data breaches by Verizon during due diligence, Yahoo created a spreadsheet that falsely represented to Verizon that it was only aware of four minor breaches in which its users personally identifying information was exposed, but did not disclose the 2014 theft of hundreds of millions of users personal data in its response. During a
June 27, 2016 telephone call requested by Verizon to discuss the four breaches disclosed by Yahoo in its due diligence responses, Yahoo further did not disclose the 2014 theft of its users personal data.
11. Ultimately, on July 23, 2016, Yahoo agreed to transfer the operating business to Yahoo Holdings at close, and entered into a stock purchase agreement with Verizon, by which Yahoo sold all of the outstanding shares of Yahoo Holdings to Verizon for $4,825,800,000 in cash. In the stock purchase agreement, Yahoo again affirmatively represented and warranted the following, in relevant part:
To the Knowledge of [Yahoo], there have not been any incidents of, or third party claims alleging, (i) Security Breaches,4 unauthorized
of the issuers Form 10-K. Item 503(c) of Regulation S-K provides, in relevant part, that, where appropriate, an issuer must provide a discussion of the most significant factors that make the offering speculative or risky, must not present risks that could apply to any issuer or any offering, and must explain how the risk affects the issuer or the securities being offered. Item 503(c) further provides that each risk factor must be set forth under a subcaption that adequately describes the risk.
|3||Yahoo filed a Form S-8 registering sales under a Yahoo Stock Plan and Yahoo Amended and Restated 1996 Employee Stock Purchase Plan on September 9, 2009 (333-161806), and subsequently filed a new Form S-8 for the Yahoo Stock Plan on September 11, 2014 (333-198687). Both Form S-8s incorporated all future filed periodic reports and current reports pursuant to Section 13(a) of the Exchange Act.|
The stock purchase agreement defined Security Breach[es] as any actual (i) loss or misuse (by any means) of Personal Data; (ii) unauthorized or unlawful Processing, sale, or rental of
|access or unauthorized use of any of [Yahoos] information technology systems or (ii) loss, theft, unauthorized access or acquisition, modification, disclosure, corruption, or other misuse of any Personal Data in [Yahoo]s possession, or other confidential data owned by [Yahoo] , in each case (i) and (ii) that could reasonably be expected to have a Business Material Adverse Effect.5|
These representations were made publicly available when Yahoo attached the stock purchase agreement to a Form 8-K filed with the Commission on July 25, 2016.
Yahoos Contemporaneous Knowledge of the 2014 Breach
12. Despite the disclosures set forth above, in late 2014, Yahoo had learned of a massive breach of its user database that resulted in the theft, unauthorized access, or acquisition of hundreds of millions of its users personal data. At this time, Yahoos internal information security team became aware that the companys information technology networks and systems had suffered a severe and widespread intrusion by hackers associated with the Russian Federation.
13. By December 2014, Yahoos information security team, including its Chief Information Security Officer, had determined that the hackers had stolen copies of Yahoos user database files containing the personal data of at least 108 million users, and likely even Yahoos entire user database of billions of users. The personal data in the stolen files included highly sensitive information that Yahoos information security team referred to as Yahoos crown jewels: Yahoo usernames, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. Yahoos information security team, including its Chief Information Security Officer, also concluded that the hackers had successfully gained access to a separate source of data: the email accounts of 26 Yahoo users specifically targeted by the hackers because of their connections to Russia.
14. Within days after Yahoos information security team reached these conclusions, members of Yahoos senior management and legal teams received various internal reports from Yahoos Chief Information Security Officer stating that the theft of hundreds of millions of Yahoo users personal data had occurred. As Yahoo has stated, the companys relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. Yahoo Form 10-K for FY2016 at 47 (filed with the Commission on March 1, 2017).
Personal Data; or (iii) other act or omission that compromises the security or confidentiality of Personal Data.
|5||The stock purchase agreement defined a Business Material Adverse Effect as any circumstance, event, development, effect, change or occurrence that, individually or in the aggregate, (a) would, or would reasonably be expected to, prevent, materially delay or materially impede the ability of [Yahoo] to consummate the [reorganization agreement and sale of the outstanding shares of Yahoo Holdings] or (b) has had, or would or would reasonably be expected to have, a material adverse effect on the business, assets, properties, results of operation or financial condition of the Business, taken as a whole, with certain enumerated exceptions.|
However, Yahoo senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoos public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading.
15. Furthermore, Yahoos senior management and legal teams did not share information regarding the breach with Yahoos auditors or outside counsel in order to assess the companys disclosure obligations in its public filings. Yahoo did not maintain disclosure controls and procedures designed to ensure that reports from Yahoos information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed in Yahoos public filings, including, but not limited to, in its risk factor disclosures or MD&A.6 To the extent that Yahoo shared information regarding the breach with affected users, they only notified the 26 users whose email accounts were accessed during the breach.
16. As a result of these failures, Yahoo did not disclose the theft of Yahoo users personal data in its public filings. Instead, Yahoos risk factor disclosures in its annual reports for the years ended December 31, 2014 and December 31, 2015, and in its quarterly reports for the first three quarters of 2015 and the first two quarters of 2016, misleadingly suggested that a significant data breach had not yet occurred, and that therefore the company only faced the risk of data breaches and any negative effects that might flow from future breaches. In addition, Yahoos filings did not address the breachs potential impact on the companys business in its risk factors; nor did they address known trends or uncertainties with regard to liquidity or net revenue presented by any current or future expenses and losses related to the 2014 data breach in its MD&A.
17. After the 2014 breach, Yahoos information security team determined that the same hackers were continuously targeting Yahoos user database throughout 2015 and early 2016, and also received reports raising the possibility of a high volume of compromised Yahoo user credentials for sale on the dark web. Based on this information, by June 2016, Yahoos new Chief
|6||Item 7 of Part 2 of Form 10-K (Managements Discussion and Analysis of Financial Condition and Results of Operations) requires an issuer to furnish the information required by Item 303(a) of Regulation S-K [17 C.F.R. § 229.303]. Item 303(a) of Regulation S-K provides, in relevant part, that, a registrant shall discuss its financial condition, changes in financial condition and results of operations, including, among other things, identifying any known trends or any known demands, commitments, events or uncertainties that will result in or that are reasonably likely to result in the registrants liquidity increasing or decreasing in any material way and any known trends or uncertainties that have had or that the registrant reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations. Item 2 of Part 1 of Form 10-Q (Managements Discussion and Analysis of Financial Condition and Results of Operations) requires an issuer to furnish the information required by Item 303(b) of Regulation S-K, which provides, in relevant part, that a registrant shall discuss any material changes from the end of the preceding fiscal year with respect to its financial condition and results of operations, including a discussion of material changes in those items listed in Item 303(a) (except for the impact of inflation and changing prices on operations).|
Information Security Officer (hired in October 2015) concluded that Yahoos entire user database, including the personal data of its users, had likely been stolen by nation-state actors through several hacker intrusions (including the 2014 breach), and ultimately could be exposed on the dark web in the immediate future. The Chief Information Security Officer communicated these conclusions to at least one member of Yahoos senior management as Yahoo was negotiating the sale of its operating business to Verizon. Despite this further evidence indicating the theft of Yahoos user database, Yahoo affirmatively represented to Verizon that it was unaware of any security breaches with a Business Material Adverse Effect in its stock purchase agreement, which was subsequently filed as an exhibit to a Form 8-K on July 25, 2016.
18. Based on the foregoing, Yahoo acted negligently in filing materially misleading periodic reports with the Commission. In particular, Yahoo knew, or should have known, that its risk factor disclosures and MD&A in its annual reports on Form 10-K for the fiscal years ended December 31, 2014 and December 31, 2015, and in its quarterly reports on Form 10-Q for the first three quarters of 2015 and the first two quarters of 2016, and its stock purchase agreement with Verizon (which was filed as an exhibit to a current report on Form 8-K), as incorporated into its Form S-8 registration statements, were materially misleading.
Yahoos Disclosure of the 2014 Breach
19. On or about September 22, 2016, Yahoo disclosed the 2014 breach and the resulting theft of data involving 500 million of its user accounts in a press release attached to a Form 8-K, and also disclosed the existence of the theft to Verizon. The day after Yahoo publicly disclosed the breachand despite its July announcement of the pending sale to VerizonYahoos market capitalization fell nearly $1.3 billion by virtue of a 3% decrease in its stock price. After disclosure of the 2014 breach, and after renegotiation of the terms of the sale of Yahoos operating business pursuant to the stock purchase and reorganization agreements, Verizon and Yahoo agreed to a reduction in the acquisition price for Yahoos operating business of $350 million, representing a 7.25% discount.
20. Yahoo also amended its risk factor disclosures and MD&A to address the 2014 breach in its subsequent public filings. With respect to risk factors, Yahoo acknowledged in its Form 10-Q for the third quarter of 2016 (filed October 9, 2016) that the data breach risk had already materialized by virtue of the 2014 data breach (referred to as the Security Incident). Specifically, Yahoo stated Our security measures may be breached, as they were in the Security Incident and user data accessed, which may cause users and customers to curtail or stop using our products and services, and may cause us to incur significant legal and financial exposure (italics added). Yahoo also added a risk factor specific to the 2014 data breach indicating that the full extent of its impact and the impact of related government investigations and civil litigation on our results of operation could be material. With respect to its MD&A, Yahoo disclosed in its Form 10-Q for the third quarter of 2016 that the company expected to incur expensesincluding investigation, remediation, and legal costsrelated to the 2014 breach.
21. Yahoo also corrected prior statements that its disclosure controls and procedures were effective. In each of its 2014 and 2015 Form 10-Ks and Form 10-Qs for the first three
quarters of 2015 and the first two quarters of 2016, Yahoo stated that its principal executive officer and principal financial officer evaluated the effectiveness of its disclosure controls and procedures (as such term is defined in Rules 13a-15(e) under the Exchange Act) and, for each period covered by the foregoing reports, had concluded that Yahoos disclosure controls and procedures were effective. In its 2016 Form 10-K, filed with the Commission on March 1, 2017, Yahoo disclosed that its principal executive officer and principal financial officer had concluded that, due exclusively to deficiencies in the Companys existing security incident response protocols related to the 2014 Security Incident, the Companys disclosure controls and procedures for each of the annual and quarterly periods ended December 31, 2014 through September 30, 2016 were not effective at the end of each such period.
22. As a result of the conduct described above, Yahoo violated Sections 17(a)(2) and 17(a)(3) of the Securities Act [15 U.S.C. §§ 77q(a)(2) and (3)], which make it unlawful for any person in the offer or sale of any securities by the use of any means or instruments of transportation or communication in interstate commerce or by use of the mails, directly or indirectly, to obtain money or property by means of any untrue statement of a material fact or any omission to state a material fact necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading; or to engage in any transaction, practice, or course of business which operates or would operate as a fraud or deceit upon the purchaser.
23. As a result of the conduct described above, Yahoo violated Section 13(a) of the Exchange Act [15 U.S.C. § 78m(a)] and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15 thereunder [17 C.F.R. §§ 240.12b-20, 240.13a-1, 240.13a-11, 240.13a-13, and 240.13a-15], which require every issuer of a security registered pursuant to Section 12 of the Exchange Act to file with the Commission, among other things, annual, quarterly, and current reports as the Commission may require, to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or submits under the Exchange Act is recorded, processed, summarized, and reported within the time periods specified in the Commissions rules and forms, and mandate that periodic and current reports contain such further material information as may be necessary to make the required statements not misleading.
Respondent Yahoo has undertaken to:
24. Cooperate fully with the Commission in any and all investigations, litigations or other proceedings relating to or arising from the matters described in the Order. In connection with such cooperation, Yahoo agrees that cooperation includes the following:
|a.||On an ongoing basis, producing, without service of a notice or subpoena, to the Commission non-privileged documents and other materials, wherever located, in Respondents possession, custody, or control, and/or appropriate privilege logs, as requested by the Divisions staff and within 14 days of request. Respondent agrees that it will preserve and produce documents within its possession, custody, or control at any point, notwithstanding the sale of the operating business to Verizon;|
|b.||Using its best efforts to secure the full, truthful, and continuing cooperation of Respondents current and former directors, officers, employees and agents, including making those persons available for interviews and the provision of testimony in any and all investigations, litigations or other proceedings relating to or arising from the matters described in the Order when requested to do so by the Divisions staff, at Respondents expense;|
|c.||Using its best efforts to ensure its directors, officers and employees respond to all inquiries related to any and all investigations, litigations or other proceedings relating to or arising from the matters described in the Order and any related proceedings when requested to do so by the Divisions staff; and|
|d.||Using its best efforts to ensure its directors, officers and employees testify at trial and other judicial or administrative proceedings when requested to do so by the Divisions staff.|
25. In determining whether to accept the Offer, the Commission has considered these undertakings.
In view of the foregoing, the Commission deems it appropriate to impose the sanctions agreed to in Respondent Yahoos Offer.
Accordingly, it is hereby ORDERED that:
A. Pursuant to Section 8A of the Securities Act and Section 21C of the Exchange Act, Respondent cease and desist from committing or causing any violations and any future violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act, Section 13(a) of the Exchange Act, and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15 thereunder.
B. Respondent shall, within ten (10) days of the entry of this Order, pay a civil money penalty in the amount of $35,000,000.00 to the Securities and Exchange Commission for transfer to the general fund of the United States Treasury, subject to Exchange Act Section 21F(g)(3). If timely payment is not made, additional interest shall accrue pursuant to 31 U.S.C. §3717.
Payment must be made in one of the following ways:
|(1)||Respondent may transmit payment electronically to the Commission, which will provide detailed ACH transfer/Fedwire instructions upon request;|
|(2)||Respondent may make direct payment from a bank account via Pay.gov through the SEC website at http://www.sec.gov/about/offices/ofm.htm; or|
|(3)||Respondent may pay by certified check, bank cashiers check, or United States postal money order, made payable to the Securities and Exchange Commission and hand-delivered or mailed to:|
Enterprise Services Center
Accounts Receivable Branch
HQ Bldg., Room 181, AMZ-341
6500 South MacArthur Boulevard
Oklahoma City, OK 73169
Payments by check or money order must be accompanied by a cover letter identifying Yahoo as a Respondent in these proceedings, and the file number of these proceedings; a copy of the cover letter and check or money order must be sent to Erin E. Schneider, Division of Enforcement, Securities and Exchange Commission, 44 Montgomery Street, Suite 2800, San Francisco, California, 94104.
C. Amounts ordered to be paid as civil money penalties pursuant to this Order shall be treated as penalties paid to the government for all purposes, including all tax purposes. To preserve the deterrent effect of the civil penalty, Respondent agrees that in any Related Investor Action, it shall not argue that it is entitled to, nor shall it benefit by, offset or reduction of any award of compensatory damages by the amount of any part of Respondents payment of a civil penalty in this action (Penalty Offset). If the court in any Related Investor Action grants such a Penalty Offset, Respondent agrees that it shall, within 30 days after entry of a final order granting the Penalty Offset, notify the Commissions counsel in this action and pay the amount of the Penalty Offset to the Securities and Exchange Commission. Such a payment shall not be deemed an additional civil penalty and shall not be deemed to change the amount of the civil penalty imposed in this proceeding. For purposes of this paragraph, a Related Investor Action means a private damages action brought against Respondent by or on behalf of one or more investors based on substantially the same facts as alleged in the Order instituted by the Commission in this proceeding.
D. Respondent acknowledges that the Commission is not imposing a civil penalty in excess of $35,000,000.00 based upon its undertaking to cooperate fully with the Commission in any and all investigations, litigations, or other proceedings relating to or arising from the matters described in the Order. If at any time following the entry of the Order, the Division of Enforcement (Division) obtains information indicating that Yahoo knowingly provided materially false or misleading information or materials to the Commission, or in a related
proceeding, or the Division determines that Yahoo has not complied with its undertaking to cooperate fully in any and all investigations, litigations, or other proceedings relating to or arising from the matters described in the Order, the Division may, at its sole discretion and with prior notice to Yahoo, petition the Commission to reopen this matter and seek an order directing that Yahoo pay an additional civil penalty. Yahoo may contest by way of defense in any resulting administrative proceeding whether it knowingly provided materially false or misleading information or failed to comply with its undertaking to cooperate fully in any and all investigations, litigations, or other proceedings relating to or arising from the matters described in the Order, but may not: (1) contest the findings in the Order; or (2) assert any defense to liability or remedy, including, but not limited to, any statute of limitations defense.
By the Commission.
Brent J. Fields
Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million
FOR IMMEDIATE RELEASE
Washington D.C., April 24, 2018 The Securities and Exchange Commission today announced that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the worlds largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.
According to the SECs order, within days of the December 2014 intrusion, Yahoos information security team learned that Russian hackers had stolen what the security team referred to internally as the companys crown jewels: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for hundreds of millions of user accounts. Although information relating to the breach was reported to members of Yahoos senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. The fact of the breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by Verizon Communications, Inc.
We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a companys response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case, said Steven Peikin, Co-Director of the SEC Enforcement Division.
Jina Choi, Director of the SECs San Francisco Regional Office, added, Yahoos failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.
The SECs order finds that when Yahoo filed several quarterly and annual reports during the two-year period following the breach, the company failed to disclose the breach or its potential business impact and legal implications. Instead, the companys SEC filings stated that it faced only the risk of, and negative effects that might flow from, data breaches. In addition, the SECs order found that Yahoo did not share information regarding the breach with its auditors or outside counsel in order to assess the companys disclosure obligations in its public filings. Finally, the SECs order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoos information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.
Verizon acquired Yahoos operating business in June 2017. Yahoo has since changed its name to Altaba Inc.
Yahoo neither admitted nor denied the findings in the SECs order, which requires the company to cease and desist from further violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-15.
The SECs investigation, which is continuing, has been conducted by Tracy S. Combs of the Cyber Unit and supervised by Jennifer J. Lee and Erin E. Schneider of the San Francisco office.
Earlier this year, the SEC adopted a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.
| SEC Order|