Recent revelations that Yahoo, Inc. faced massive fines for resisting a secret National Security Agency “request” for user data have added a new wrinkle to the already complicated debate over the U.S. government’s electronic surveillance programs. What can a publicly traded company do when one federal agency, the NSA, compels it to remain silent about information that another, the Securities and Exchange Commission, may require it to disclose because of its import to investors?
Mass data sweeps like those carried out by the NSA under its PRISM program often target the companies that control that information – telephone, Internet and social media giants such as AT&T, Google, and Facebook. NSA data requests are issued in secret from a secret court (the Foreign Intelligence Surveillance Court, or “FISC”) and companies targeted cannot reveal even the fact they have received a request. Challenges to and enforcement of NSA requests all also take place in secret.
Enter Yahoo. Last month, the Internet search, news and entertainment company publicized 1,500 pages of declassified documents detailing its losing fight against a 2007 NSA request for certain Yahoo user data. Having resisted the initial NSA request, in May 2008, the FISC ordered Yahoo to comply. Yahoo appealed to the Foreign Intelligence Court of Review but lost. At that point, Yahoo complied with the request and turned over its user data to the government rather than pursue an appeal to the United States Supreme Court.
Undoubtedly, a factor in Yahoo’s acquiescence was the amount of the fines sought by the government had Yahoo refused to comply. As a contempt sanction, the government sought an initial daily fine of $250,000, with the amount of the fine doubling every week. Had Yahoo continued to refuse to comply, within twelve weeks the fines would have accrued to $7.2 billion – more than Yahoo’s entire annual revenue in 2008. And the initial NSA request, the FISC order, the appeal, and the payment of any such fines would have had to remain completely secret. (Indeed, it took four years of continued litigation by Yahoo to successfully declassify the documents and bring the story to light.) It is here that the conflict with federal securities laws arises.
Federal securities laws – and U.S. capital markets, generally – are predicated on disclosure. There are a host of regulations that detail what material information a corporation must disclose to investor. Material information can include information that a reasonable investor would consider relevant in deciding whether to buy, sell, or hold a particular security. Failure to disclose material information compelled by a statute (or necessary to make prior statements from being misleading) may result in civil liability and regulatory penalties.
There can be little doubt that the ruinous sanctions faced by Yahoo for its noncompliance would qualify as material information. Moreover, shareholder activists (in pressuring companies for greater transparency) have often asserted that compliance with government surveillance programs itself creates potential financial, legal, and reputational harm that must be disclosed. This is particularly so for technology companies whose users place a premium on data privacy.
How, then, can corporations reconcile the government’s demands for utmost secrecy around its surveillance programs with the companies’ duty to disclose material information to the public? That question will likely remain unanswered either until a corporation targeted by the NSA appeals all the way to the U.S. Supreme Court or until Congress acts to clarify which interest outweighs the other – information gathering related to national security, or the transparency essential to a free capital market.
In the meantime, corporate attorneys must attempt to walk the tightrope between what their U.S. listed clients must disclose and what they must keep secret. And shareholders must consider the possibility that their considered investments in seemingly prosperous companies could face unknown risks from secret government action.