The investigation into Yahoo's data breaches could set a precedent for the timeliness of acknowledging future hacks for companies.
It’s been years since a couple of massive data breaches at Yahoo compromised information of more than 1 billion users and months since the company disclosed it, but the headaches are still far from over for the ailing tech giant. On Monday, the Wall Street Journal reported the Securities and Exchange Commission has opened an investigation examining whether the behemoth hacks should have been reported in a more timely fashion to investors. The ruling on the case may set an important precedent on whether or not it is necessary for companies to reveal security breaches.
The SEC first requested documents from the Sunnyvale, California-based company in December and will be determining whether Yahoo complied with civil securities laws in its disclosure tactics. Current SEC requirements necessitate that companies alert cybersecurity risks if they might affect investors.
Yahoo first revealed the 2014 data breach that affected at least 500 million users last September and waited until December to make public information about a hack that occurred in August 2013 that affected more than a billion users. This is not the first time the SEC has conducted such an investigation — following the Target hack in 2013 that left some 70 million credit and debit card accounts exposed, the regulatory body has been vigilant in ensuring that companies followed proper protocol in telling the public — or at least, their investors.
While the SEC has actually never brought a case against a company for not informing relevant parties about a cyberattack, this case could be unique in a number of ways. After all, Yahoo may soon be acquired by Verizon, a deal that was made all the shakier when news of the hack first came out in 2016. “Here you are talking not just about the potential for a data breach, but a deal blowing up because of a data breach,” John Reed Stark, a cybersecurity consultant who previously ran the SEC’s office of internet enforcement, told the Wall Street Journal.