Yahoo’s data breach seemed the last gasp for Yahoo. But the company’s legacy lives on. Because the breach in 2014 was so large and it is not clear when the company was aware of the attack or whether authorities should have been informed earlier, the breach may become a test case for cybersecurity regulation by the SEC.
SEC data breach disclosure rules are vague to say the least. The recent announcement by Yahoo that it was hacked and 500 million accounts were exposed in 2014 and the fact that Yahoo did not state when it became aware of the attack has highlighted inadequate disclosure rules for public companies.
Because the Yahoo case was so large in scale and whether Yahoo executives acted responsibly is uncertain, it may become a test case for the SEC in shaping new guidelines. Yahoo claimed on Sept. 22 that the breach was a state-sponsored attack. This week, Sen. Mark Warner (D-VA) asked the U.S. Securities and Exchange Commission to investigate the disclosure action taken by Yahoo’s executives.
Warner has asked the SEC in a letter to evaluate whether the current disclosure regime is adequate. According to Warner, less than 100 of 9,000 public companies have reported a data breach since 2010. “I don’t know that we need new rules. But in certain situations, you may need more aggressive enforcement,” said Roberta Karmel, a Brooklyn Law School professor.
In 2014, the SEC considered strengthening the disclosure rules on cybersecurity and did impose new requirements but only for broker dealers and investment advisers, not public companies.
Yahoo did not specify when it became aware of the 2014 attack. According to Jacob Olcott, former Senate Commerce Committee counsel, the SEC has been waiting for a case to use as an example, and this latest breach is apropos.
The SEC has never taken action against a company for cybersecurity disclosure failure or delay, and only two actions concerning insufficient data protection have been initiated. The reason, according to lawyers, is that breaches are difficult to assess and whether they have an adverse effect is not always straightforward.
In 2011, publicly traded companies were instructed by the SEC to report attacks that could have a “material adverse effect on the business;” however, there was no strict definition of such events.
Policymakers are not keen to initiate stricter rules on the disclosure of cyberattacks because companies might fear disciplinary action and not cooperate with authorities. To avoid this problem, in 2015, Congress expanded liability protections for companies that do disclose hacks. Commerce Secretary Penny Pritzker also wants companies to receive temporary immunity to any disciplinary action during the response to a hack.
According to Reuters, the Federal Trade Commission has brought 60 successful data security cases since 2001 because it has introduced clearer regulations.