Authorities are investigating whether Yahoo should have reported its two significant data breaches to investors sooner than it did, according to a Wall Street Journal report.
According to sources of the publication, the Securities and Exchange Commission (SEC) has opened an investigation into Yahoo’s breach notification process. More specifically, the SEC issued requests for documents back in December to ascertain if Yahoo’s disclosures about the two massive cyberattacks complied with civil securities laws. SEC regulations require companies to immediately disclose cybersecurity risks when they are determined to have an impact on investors.
Case in point, Yahoo’s 2014 data breach saw the compromise of data belonging to nearly 500 million users. Although the company linked the incident to state-sponsored hackers that year, the breach was only disclosed in September 2016. In mid-December 2016, Yahoo claimed that it only recently discovered a 2013 data breach from August that year, one that compromised the details of over 1 billion Yahoo users.
WSJ sources further add that the SEC investigation is in its early stages and it’s still far too early in the process to determine any public action or sanctions.
According to legal experts, the SEC has been looking for a case from the past to clarify the finer details of what would qualify for a type of conduct that does not stand in compliance with the guidelines issued by the SEC in 2011. Previously, the Target breach from 2013 that saw the compromise of some 70 million credit- and debit-card accounts was disclosed weeks after the breach began. Following an investigation, the SEC recommended that Target did not need any enforcement actions.
Regardless, the SEC’s investigation into the Yahoo breach is certain to set a precedent. The SEC has never before brought a case against a company for failing to disclose a data breach.
It is all the more notable that Yahoo’s shares dropped immediately after each data breach disclosure.
In November 2016, with a quarterly securities filing, Yahoo claimed that it was cooperating with a number of agencies, “federal state and foreign”, that sought information on the 2014 breach. Those agencies included the SEC.
The WSJ report also points to one insider who claims that Yahoo initially believed those impacted by the breach to be fewer than the 500 million users that the tech giant eventually disclosed. In an SEC filing, the company’s board of directors also claimed that they appointed a committee to investigate “the scope of knowledge within the Company” in relation to the 2014 breach.
Verizon Deal in Danger?
The two breach disclosures by Yahoo came after it had already agreed to sell its core business to telecom giant Verizon in July 2016. Verizon has since stated that it is studying whether the breaches’ revelations result in a drop in Yahoo’s user base before proceeding with the deal.
It remains to be seen if the deal stands to be renegotiated or even terminated in light of two of the biggest data breaches ever revealed.
Image credit: Pixabay.