Earlier this week, the SEC announced that Altaba, a publicly-traded holding company that owns huge stakes in Chinese internet company Alibaba Group and Yahoo Japan, would pay a fine of $35 million for failing to disclose a 2014 data breach in which hackers stole information from more than 500 million Yahoo accounts.
Yahoo sold its main internet business to Verizon in 2017, renaming what remained as Altaba. Apparently Verizon bought the assets of Yahoo but did not agree to assume all of the liabilities, including the one flowing from the SEC action.
The SEC case is a fairly straightforward disclosure fraud case but for a couple of important aspects, which undoubtedly provided some consternation for SEC Commissioners Piwowar and Peirce Both Commissioners probably voted against the enforcement action for the following reasons:
- The $35 million penalty is against a corporation, which means, according to those two Commissioners, that the company’s shareholders ending up footing the bill for the fine. Over the years, starting with SEC Chairman Christopher Cox, a parade of Republican Commissioners have advanced numerous reasons as to why corporations shouldn’t be fined for disclosure frauds. Although not always consistent in their logic and rationales, the Republican Commissioners have been consistent in their philosophies: no fines against corporations for disclosure frauds, with a special carve out for broker-dealer entities and if it can be shown that the company profited from the fraud, a penalty is acceptable. Apparently Commissioner Piwowar also believes it is permissible to fine corporations for FCPA violations (a type of disclosure fraud), although the logic underpinning his rationale for this exception is not easy to follow. I suppose also it’s possible that he voted to approve the case against Yahoo but disagreed with the fine amount, and even possible he actually voted for the fine if his views on corporate penalties evolved yet again. I doubt, however, that Commissioner Peirce voted for any of the case — it just doesn’t seem like the sort of case that she would support given her outlook and loyalties. Personally, while I think that corporations should be fined for securities fraud as the statutes permits, I would have liked to have more explanation concerning how the SEC came up with the $35 million penalty. A penalty of $10 million or $20 million or $50 million would have seemed just as appropriate based on the information the SEC provided publicly. For an agency that emphasizes transparency in others, the SEC doesn’t always do such a great job disclosing how it comes up with the penalties it accesses, but perhaps that is just too hard to do.
- No individuals were charged even though the corporation was accused of negligence. I’m sure this was a issue that all Commissioners discussed exhaustively and exhaustingly with Enforcement staff. And because the proposed settlement did not include actions against individuals, the two Commissioners mentioned above would have viewed the action skeptically. A number of Commissioners and SEC officials have long argued that you can not and should not bring a case for negligence against a corporation if you don’t have a basis for charging individuals for negligent conduct. This is not unreasonable but it also well known that often, for a variety of reasons, an investigation will turn up evidence that a bunch of individuals at a company were involved in parts of a fraud but no particular person or persons seem to have been involved in all aspects of the fraud. There can be risks in bringing a case against an individual that don’t exist in a case against the corporation that the individual worked for. In this case, it’s not clear why no one was charged when the corporation was. A Yahoo internal investigation found that Former Yahoo Chief Executive Marissa Mayer failed to “properly comprehend or investigate” the account breach. And, Ronald Bell, Yahoo’s top lawyer, resigned shortly after the internal investigation. Perhaps charges against individuals will follow, since, as the SEC press release and administrative order both indicate, the SEC investigation is ongoing, inferring that conduct by individuals is still under scrutiny. That may be so, but it is also a little strange: you would think the staff’s investigation as to the individuals would be completed before settling the case with the company. The SEC doesn’t want to discover something new during its investigation of the individuals that implicates the company after it has already settled with the company. My guess is that the investigation was pretty comprehensive (and there was an internal investigation to crib from, which could have been quite useful) when the case was filed. Maybe the SEC will bring charges one day against some individuals or maybe the staff were in the process of negotiating terms with individuals (always tougher than negotiating with corporations) and those negotiations just dragged on too long, causing the staff to want to bring something sooner rather than later. Hard to tell from the public documents but it certainly doesn’t get any easier to bring charges against individuals after the first action is filed — it’s human nature for staff investigators to want to move on to the next project or investigation and the case evidence doesn’t get fresher. Defense counsel may now believe that the SEC doesn’t have a strong hand if it wasn’t prepared to bring the charges against the individuals when it filed its action against the entity. Time will tell.
The SEC in Action 