The SEC is investigating whether Yahoo should have publicly disclosed its two mega-hacks earlier than it did — a process that could end up setting important benchmarks for how quickly publicly traded companies have to disclose cybersecurity breaches, the Wall Street Journal reported.
The company disclosed last year that it was cooperating with SEC investigators, but the WSJ report cites “people familiar with the matter” providing the first details about the parameters of the probe.
It wasn’t until September last year, four months after its $4.83 billion sale to Verizon, that Yahoo disclosed a 2014 cyberattack that accessed the email login credentials of half a billion account users. But in a November SEC filing the company disclosed that it had identified state-sponsored hackers in its network back in 2014. Then, in December, Yahoo said it had uncovered yet another massive breach, this one dating from August 2013 and involving more than 1 billion user accounts.
The SEC issued Yahoo requests for documents in December, as part of a probe into whether disclosures about the cyberattacks complied with civil securities laws, the Journal reported. If the agency finds the company should have disclosed one or both of the data breaches sooner, the company could be fined.
Sen. Mark Warner, D-Va., wrote the SEC last September, urging just such a probe. “The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it,” he wrote.
In 2011 guidance, the agency explained that existing law requires companies to disclose in public filings cybersecurity incidents determined to have had a “material” effect on the company’s fortunes or prospects. A Reuters investigation the following year found that companies often omitted those details in their filings.
Attorney and data security expert Craig Newman told CyberScoop that the 2011 guidance doesn’t explain how management should handle “the competing demands placed on a company,” regarding disclosure timing, calling it “a fuzzy issue without clear guidance from securities regulators.”
“The issue of when to disclose a data breach creates tension between the need to cooperate with law enforcement in an investigation and the obligation to inform investors and the markets. It’s a dangerous dilemma for companies,” said Newman, head of the Privacy & Data Security practice at Patterson Belknap Webb & Tyler law firm.
The SEC has previously investigated several large data breaches, including the one at Target, but has not yet taken public action, Newman said: “The Commission has never brought an enforcement action based on a company’s failure to disclose a cyberattack. But it’s been a moving target for years.”
The Journal reported that the agency has been seeking a test case to clarify what it expects from companies in terms of the timeliness of disclosure. But the newspaper also said it was too early to say whether the investigation would result in public action.