Langevin Statement on SEC Settlement with Yahoo over 2014 Data Breach

Congressman Jim Langevin (D-RI), co-founder and co-chair of the Congressional Cybersecurity Caucus, released the following statement regarding the Securities and Exchange Commission’s first enforcement action regarding a publicly traded company’s failure to disclose a cybersecurity incident:

“Investors have a right to know whether companies are taking cybersecurity seriously. I praised the SEC’s 2011 cybersecurity guidance because I believe that increased transparency will provide a market-based incentive to drive adoption of best security practices. However, the guidance is meaningless without enforcement to back it up. Today’s announcement of a $35 million fine in response to Yahoo’s failure to disclose its massive 2014 data breach is a long overdue first step toward providing real protections for investors. I agree that we should ‘not second-guess good faith exercises of judgment’ by executives, but the bias should be toward disclosing a breach, not burying it. Yahoo’s case exemplifies the materiality of data breaches, but a significant change in acquisition price cannot be a prerequisite for regulatory action to protect shareholders. I hope the SEC builds upon this case and takes other action to keep investors informed about the significant cybersecurity risks we face in this digital age.”