The SEC first requested documents from the Sunnyvale, California-based company in December and will be determining whether Yahoo complied with civil securities laws in its disclosure tactics. Current SEC requirements necessitate that companies alert cybersecurity risks if they might affect investors.
Yahoo first revealed the 2014 data breach that affected at least 500 million users last September and waited until December to make public information about a hack that occurred in August 2013 that affected more than a billion users. This is not the first time the SEC has conducted such an investigation — following the Target hack in 2013 that left some 70 million credit and debit card accounts exposed, the regulatory body has been vigilant in ensuring that companies followed proper protocol in telling the public — or at least, their investors.
While the SEC has actually never brought a case against a company for not informing relevant parties about a cyberattack, this case could be unique in a number of ways. After all, Yahoo may soon be acquired by Verizon, a deal that was made all the shakier when news of the hack first came out in 2016. “Here you are talking not just about the potential for a data breach, but a deal blowing up because of a data breach,” John Reed Stark, a cybersecurity consultant who previously ran the SEC’s office of internet enforcement, told the Wall Street Journal.
Editors' Recommendations
- A data breach can cost millions of dollars — and you might be paying it
- Robinhood reports data breach affecting 7 million customers
- This vaccine passport app data breach is a cautionary tale
- T-Mobile investigating claims of massive hack involving customer data
- T-Mobile reveals it ended 2020 with data a breach
