Law360 quoted Haynes and Boone, LLP Partner Kit Addleman on a $35 million fine levied by the U.S. Securities and Exchange Commission against Altaba Inc., formerly known as Yahoo, for not disclosing a 2014 data breach until 2016.
The penalty, announced April 24, was the first issued by the agency in a case that alleged investors were misled by a company’s failure to disclose a cyberattack — but the fine was directed only at the company, not individual executives, Law360 reported.
The report said that Addleman, a former SEC regional director in Atlanta, said the SEC tends to “escalate” its actions when new issues such as failing to disclose cyberbreaches arise, usually taking action against the company first and then moving on to individuals, if warranted. She said the SEC’s Yahoo order was “expected to resonate with company officers and executives,” and predicted the SEC will be “more aggressive with respect to individuals” in future actions taken against companies that fail to disclose cyberattacks.
Addleman said the $35 million fine stated “very loudly that this is important to the commission," while noting that the SEC alleged in its order outlining the allegations against Yahoo that the company acted “negligently” rather than with intent, an important distinction in terms of potentially finding company executives individually liable.
Still, Addleman noted that the SEC made clear its investigation is ongoing. “We certainly don’t have any indication that the SEC intends to bring an action against any individuals,” she said. “But the language of the order and the SEC’s press release don’t foreclose that as a possibility.” ...
Excerpted from Law360. To read the full article, click here. (Subscription required)