Davis Polk Discusses SEC’s $35 Million Fine for Late Cyberbreach Disclosure

On April 24, the Securities and Exchange Commission charged Altaba Inc., formerly Yahoo! Inc., with misleading shareholders by waiting almost two years to disclose its 2014 data breach. Consenting to a cease-and-desist order, Altaba agreed to pay a $35 million penalty in the first SEC enforcement action against a public company relating to cyberbreach notification. The SEC’s action follows a trend by state attorneys general and other regulators in exacting significant penalties from companies that fail to provide timely breach notification. Yahoo! previously reached an $80 million settlement to resolve a class-action securities case for failure to disclose the … Read more

Davis Polk Discusses Target’s Cyber Breach Settlement

On May 23, Target Corp. reached a record $18.5 million settlement with 47 states and the District of Columbia to end investigations into Target’s data breach in 2013.  The settlement highlights the growing list of specific measures that companies are expected to have in place to mitigate the risk of cyber breaches.

In 2015, Target reached a class action settlement with consumers that required the company to implement certain measures to protect customer information. In re Target Corporation Customer Data Security Breach Litigation No. 14-2522 (D. Minn. Mar. 18, 2015).  Comparing the measures that were required in the 2015 settlement … Read more

Davis Polk discusses Appellate Reversal of $1.3 Billion Penalty Against Countrywide, Based on Appellate Finding of Lack of Intent

On May 23, 2016, the United States Court of Appeals for the Second Circuit reversed a $1.3 billion civil penalty imposed against Countrywide Home Loans, Inc., Bank of America, N.A., and related defendants (collectively, “Countrywide”) under the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (“FIRREA”).[1]  Although the decision rebuffed the government’s case against Countrywide, it did not address the government’s novel interpretation that FIRREA permits civil penalties against financial institutions whose criminal conduct is “self-affecting.”  FIRREA permits civil penalties against a defendant if it commits certain unlawful acts “affecting a federally insured financial institution.”[2]  Over a … Read more