It has been confirmed that the U.S. Securities and Exchange Commission (SEC) are to investigate Yahoo concerning two enormous data breaches that were made public in late 2016. The controls put in place by Yahoo to prevent data breaches will not fall under the SEC investigation, but rather if the web services provider took too long to inform its investors of the breaches.
Yahoo publicly acknowledged in September 2016 that it had been the victim of massive data breaches affecting several hundred million users. Since that time, the company has been roundly condemned for the way it dealt with the breach. Some commentators have also asked when the company initially realised that its systems had been breached and further demanded an explanation for the delay in the issuing of notifications.
In December 2016, Yahoo made a second announcement confirming a further data breach that it had experienced. The second breach was in fact the largest such recorded breach in history. Over one billion Yahoo users had had their accounts compromised. It was believed that the breach occurred in 2013.
Although Yahoo users might think that they should have received notification of the breaches much sooner than they did, the SEC investigation into Yahoo’s conduct will focus on whether or not its investors were informed promptly enough.
The Securities and Exchange Commission asked Yahoo to supply documents for the investigation in December 2016. Yahoo has indicated that it has been cooperating with various agencies concerning the incidents.
Companies are required under securities industry regulations to disclose information relating to cybersecurity breaches as soon as it is clear that investors will be affected. Prior to the news about the data breaches being released, Yahoo going through a take over by Verizon. Both giant data breaches may have consequences as to whether the takeover goes ahead and if it should, the price paid by Verizon might be impacted. Clearly, this would be very significant for Yahoo’s investors.
Guidance concerning the reporting of security breaches for publicly traded companies was published by the SEC in 2011. The investigation will undoubtedly focus on whether Yahoo has acted in compliance with that guidance and whether or not the internet services provider honoured its obligations to investors.
Yahoo has remained tight-lipped as to why it took approximately 2 years for one breach and 3 years for the 2nd before the cyberattacks were confirmed. No indication has been made as to why the decision to go public did not come quicker, nor who within the company was responsible for that decision.
The investigation is in its initial stages so it is too soon to know what, if any, punitive measures will be ordered against Yahoo. Equally, the incident is without precedent. No such case has ever previously been brought by the SEC against a company for failure to reveal a data breach.
Other organizations are also currently investigating Yahoo. The Federal Trade Commission has launched an investigation into the incidents and so to have the State Attorneys General and the U.S. Attorney’s Office situated in Manhattan, New York.