Adding to its mounting list of headaches — Yahoo is now facing a probe from the Securities and Exchange Commission as to whether or not it could have acted more promptly in response to two massive data breaches that left over a billion customers’ information compromised.
Specifically, the SEC is curious as to whether Yahoo’s disclosures about the cyberattacks complied with civil securities laws that require firms disclose cybersecurity issues at the point they become of material interest to investors. Yahoo disclosed a breach of 500 million users’ data in September of 2016, despite the fact that the hack itself took place in 2014.
Yahoo has not yet detailed why it took two years to disclose the incident publicly. Yahoo also reported that a different massive breach in August 2013 had compromised around a billion users worth of data.
Yahoo is not the first firm to get an investigation to go along with its data breach. Target was also investigated for its 70 million customer account breach — though Target disclosed the breach within weeks of its starting. The SEC recommended no action.
Yahoo, according to some former SEC officials who spoke to the Wall Street Journal, is a more complex case since they withheld a disclosure for so long. It is unknown at this point when and if the SEC will bring forward a case — though most experts do seem to agree that a case in this matter would clarify the law in this area, paticularly in regards to when a breach becomes materially important to investors.
The SEC has never brought a case against a company for failing to disclose a cyberbreach, though it has brought suit for failing to protect against one adequately.
John Reed Stark, a cybersecurity consultant who previously ran the SEC’s office of internet enforcement, noted that the SEC’s interest at all in this case was in itself attention-getting.
“In my 20 years at the SEC, I never referred a disclosure case to a prosecutor,” he said, noting that this case could be history-making in a few regards
“Here, you are talking not just about the potential for a data breach, but a deal blowing up because of a data breach,” said Stark — in reference to Verizon’s planned acquisition of Yahoo, which will now at a minimum need to be repriced.
Yahoo is expected to report fourth-quarter earnings on Monday after the market closes. The company will not hold a call with analysts.