The U.S. Securities and Exchange Commission will be investigating Yahoo over the two massive data breaches announced late last year. The SEC investigation of Yahoo will not be concerned with the controls put in place by the company to prevent data breaches, but whether Yahoo should have informed its investors of the breaches more quickly.
In September, Yahoo announced that it had experienced a massive data breaches that had impacted hundreds of millions of its users. Since that announcement, the company has been heavily criticized for its handling of the breach. Questions have also been asked about when the company first became aware that its systems had been breached and why it took so long for notifications to be issued.
In December, a second announcement was made, this time about a further data breach that the company had experienced. The second breach was on a scale never before seen. The records of more than 1 billion of its users had been compromised. That cyberattack was understood to have occurred a year earlier in 2013.
While Yahoo users may feel that they should have been notified of the breaches faster, the SEC investigation of Yahoo will be centered on whether its investors should have been informed much more promptly.
The SEC requested Yahoo supply documents for its investigation in December. Yahoo has confirmed that it is cooperating with federal, state and foreign agencies about the security incidents.
Securities industry regulations require companies to disclose details of cybersecurity breaches as soon as it is known that they will have an impact on investors. Before the news broke about the data breaches, Yahoo was in the process of being taken over by Verizon. The two massive data breaches could potentially have a an impact on whether the takeover goes ahead and if it does, on the price paid by Verizon. That would certainly have an impact on Yahoo’s investors.
In 2011, the SEC released guidance on for publicly traded companies on the reporting of hacking incidents. The investigation is likely to center on whether Yahoo complied with that guidance and whether the company fulfilled its investigations to its investors.
Yahoo has been relatively silent on why it took two years from one breach and three years from the second for the cyberattacks to be announced. Nothing has been said about why the decision to go public was not made sooner, nor who made that decision.
The SEC investigation of Yahoo is still in the very early stages so it is too early to tell what, if any, action will be taken against Yahoo. There are also no precedents. The SEC has never before brought a case against any company for the failure to disclose a data breach.
The SEC is not the only organization investigating Yahoo. The Federal Trade Commission launched an investigation into the Yahoo data breaches, as have State Attorneys General and the U.S. Attorney’s Office in Manhattan.