Dive Brief:
- Sen. Mark Warner, D-VA, has asked the U.S. Securities and Exchange Commission (SEC) to investigate whether Yahoo executives properly disclosed the massive breach that affected at least 500 million accounts, according to a Reuters report.
- In 2011, the SEC enacted rules for companies to follow that dictate the timeline for when cyberattacks must be revealed. But the agency thus far has failed to enforce them.
- The SEC rules vaguely require publicly traded companies to report hacking incidents that could have a "material adverse effect on the business." Warner and others want the SEC to make the rules more specific.
Dive Insight:
The SEC has never acted against a company for failing to disclose a cybersecurity incident, according to an agency spokesperson. But the Yahoo case may present the perfect opportunity to do so given the attention being paid to the incident and the sheer size of the breach. If the SEC comes down hard on Yahoo, other companies may be motivated to pay closer attention to how they protect personal data.
Yahoo has faced harsh criticism for how it handled disclosing the massive breach revealed in September. The company is facing multiple lawsuits and questions from six U.S. senators. If the SEC responds, the company may face government penalties as well. The Federal Trade Commission may also look into the breach, as it has become the agency's task to police enterprise cybersecurity failures.
Yahoo blamed on Sept. 22 on a "state-sponsored actor." But Last week, cybersecurity researchers said common hackers were more likely responsible for the breach. The company has not revealed when it learned of the 2014 attack. But on Sept. 9, Yahoo said in an SEC filing required as part of Verizon’s proposed purchase of the company, that it did not know of "any incidents of, or third party claims alleging ... unauthorized access" of customers' data.
