MY TAKE: Why the SEC’s reporting guidance, Yahoo’s $80M payout will shake up board rooms

The most encouraging thing about the U.S. Securities and Exchange Commission formally issuing cybersecurity reporting “guidance” for public companies last month was, ironically, commissioner Kara Stein’s disappointment that her colleagues did not go much further.

Related video: Howard Schmidt’s 2015 observations on board involvement

Stein said she would have liked to have seen the commission do a lot more than rehash staff-written best practices suggestions that have been laying around since 2011. Her assertive stance resonated just a few days later when Yahoo agreed to settle a milestone securities case, for a cool $80 million.

Data thieves stole personal records for 1 billion individuals from Yahoo. So now the portal giant will pay a legal settlement that’s more than four times the $18.5 million payout Target had to cough up losing data for  41 million customers.

Yahoo’s poor practices — neglecting to  encrypt and sufficiently protect data; failing to detect and disclose the breach in a timely manner; bulling ahead with the sale to Verizon — resulted in exponentially more victims than Target.

More crucially, unlike the Target case, the Yahoo case was pressed by plaintiff’s attorneys representing consumers  in securities-related lawsuit. (Attorney generals from 47 states sued Target.)  And the private attorneys hit the jackpot. In addition the $80 million for injured consumers, the plaintiffs’ attorneys have asked the court to order Yahoo to pay $20 million in legal fees, and up to $750,000 as reimbursement for other work.expenses.

Buck stops with board

Together the SEC’s freshly-minted advice, the Yahoo settlement shines a bright light on D&O liability. It’s now crystal clear that board directors and senior executives can be held accountable for any major data breach that occurs on their watch.

The SEC formal “interpretive guidance,” which took effect Feb. 26,  reinforces the notion that, when it comes to data breaches, the buck stops in the board room. The commission addressed  the importance of cybersecurity policies and procedures and stressed that companies have an obligation to consider the “materiality of cybersecurity risks and incidents” when preparing public reports.


Willy Leichter, marketing vice president at Virsec Systems, a supplier of application security systems, notes that the commission is now formally asking public companies to  inform investors about material cybersecurity risks and incidents in a timely fashion.  “This includes those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack,” Leichter says.

Read the tea leaves

Board directors and senior executives ought to view this as one big step toward prescriptive reporting  rules and hefty penalties. All it would take is a shift in the political winds, and for the next President to populate the SEC with  appointees who share Stein’s understanding and bent.


Stein, who was appointed to her seat in 2013 by President Obama,  asserts that she would have liked to have seen the commission push for risk management framework improvements,  minimum standards to protect the personally identifiable information of investors, and timely notice to investors. Specifically, she’d like to require companies to file a Form 8-K following a cyberattack, providing disclosure that informs the public without unduly harming the company.

This rising specter of regulation should loosen some purse strings, at least at organization previously apathetic about treating data security as a cost of doing business. “It is often the threat of regulatory penalties that unlocks a company’s resources to go ahead with data protection programs that could otherwise have been perpetually delayed,” opines Brendan Rizzo, technical director  at Voltage Security. “In this scenario, companies and consumers both benefit from the increased security.”

Yahoo’s legal woes

If the SEC’s guidance isn’t a sufficient motivator, then Yahoo’s legal woes, coupled with its humiliating airing of poor security practices – should hold directors’ and officers’ feet closer to the fire in board rooms across America.

Yahoo clearly messed up – big time. In Sept. 2016, when tech giant disclosed that is lost personal data for 500 million users, its share price sank 3.06%.  Then in December 2016, it disclosed losing  data for 1 billion users  — in a separate breach. It’s shares dove 6.11%. And when the plaintiff’s lawyers learned that the smaller breach occurred in 2014 and the larger one in 2013, they must have started drooling.

The deal closer – in terms of plaintiff attorneys’ ability to demonstrate material damage — was the hefty discount Verizon Communications managed to squeeze out of its 2017 acquisition of Yahoo. Verizon sought and obtained a price cut of $350 million, according to the plaintiffs’ law firm, Pomerantz LLP.


Thus, Yahoo finds itself in the ignominious position of funding the plaintiff bars’ first big payday stemming from a major data breach, blogs  Kevin M. LaCroix  an attorney RT ProExec, management liability consultancy.

“It is hard to know for sure, but this milestone settlement, together with the SEC’s new disclosure guidelines, could mean that data breach-related shareholder litigation could be an area of increased focus for the plaintiffs’ lawyers,” LaCroix writes.

I have a funny feeling it won’t be too long before we find out if Mr. LaCroix is right.




*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: