top of page





■ ■ ■  November 14, 2018



Last month, the parties in the litigation pending in a California court regarding the massive Yahoo data breach disclosed in 2016, filed a motion seeking preliminary approval of a settlement for $50 million in damages, and for Yahoo to provide two years of free credit-monitoring services to the 200 million people who had their email and personal information stolen.


On October 3, 2017, Yahoo disclosed that three times as many accounts were impacted by data breaches than the company had previously disclosed in 2016, in its quarterly filing with the U.S. Securities and Exchange Commission (SEC). In total, as many as 3 billion accounts, or every single customer that existed at the time, were impacted.  


After Verizon acquired Yahoo in 2017, it expanded its investigation into the breach by contracting outside forensic experts. Four people have been indicted for the attack by the Department of Justice (DOJ). The SEC and U.S. Federal Trade Commission (FTC) launched investigations over the company's failure to disclose and investigate such breach in a timely manner. The SEC brought charges against Yahoo for misleading investors by failing to promptly and accurately disclose one of the world's largest data breaches.  Yahoo ultimately agreed to pay a $35 million penalty to settle the SEC charges. It was the first cease-and-desist order and penalty by the SEC against a public company for failing to disclose known cyber incidents in its public filings; this was on the heels of the SEC's new guidelines for disclosures of cyberattacks.


One of the key problems raised by regulators and plaintiffs in this case was that Yahoo failed to promptly and fully investigate the breaches when they actually happened, and it appears the company did not have adequate policies and procedures in place to address a breach of this kind. 


With increasing class actions derived from data breaches and additional scrutiny by the SEC, FTC and other regulators involving cyberattacks and disclosures, it has become critical for companies to establish or enhance their Privacy and Data Protection Compliance Programs. MDO Partners encourages companies to conduct cybersecurity risk assessments, adopt robust privacy policies, enhance disclosure controls and adopt cyberattack investigation procedures to help mitigate the risks associated with a cyberattacks and data breaches. Our attorneys and advisors have experience advising clients on the relevant privacy matters and cybersecurity measures that should be taken to establish and maintain an effective Privacy and Data Protection Compliance Program.


About MDO Partners


MDO Partners is a boutique law firm that focuses on Corporate, International, and Real Estate Law, as well as Global Compliance and Business Ethics. The firm is comprised of a solid team of attorneys and advisors with more than 100 years of combined experience who are committed to the business goals and best interests of their clients. The firm delivers value-added services of the highest caliber, and serves as a trusted advisor to its clients with a practical and business-savvy approach. For more information on MDO Partners, please visit


If you have questions or comments regarding this Alert, please contact the attorney or advisor listed below.


Richard Montes de Oca

Managing Partner



Javier Jaramillio

Compliance Advisor





175 SW 7th Street

Suite 1900
Miami, FL 33130

Contact us:

bottom of page