Imagery Majestic - Fotolia
SEC to investigate the Yahoo breach disclosures
The SEC has requested more information for potential cases concerning whether the Yahoo breach disclosures could have come sooner.
The Securities and Exchange Commission has opened an investigation into the recent Yahoo breach disclosures, and it may use it as a test case to push breach-disclosure requirements.
The Securities and Exchange Commission (SEC) reportedly issued a request in December for more information on the recent Yahoo breaches, according to sources for The Wall Street Journal. Yahoo disclosed a 2014 breach of 500 million user accounts in September 2016 and a 2013 breach of more than 1 billion user accounts in November. It is unclear if both Yahoo breaches will be investigated, but reports claim the SEC will focus on the 2014 incident.
Yahoo stated in a November SEC filing that it has complied with all information requests from law enforcement and federal agencies in these cases. Yahoo contended it did not learn about the 2014 breach until "an ongoing broader review of the company's network and data security" with outside investigators uncovered the issue in August 2016.
However, a source familiar with the matter did previously admit "somebody at the company knew something in 2014 relevant to a state-sponsored actor having accessed the system," but the extent of that knowledge was unclear.
The SEC has previously investigated other companies, including Sony, regarding whether public breach disclosures were made in a timely manner. But experts have been saying since the original Yahoo breach disclosure in September that the SEC was looking for a test case to properly define breach-disclosure requirements.
The SEC issued a guidance document concerning breach disclosures in 2011, but has never defined the strict requirements or timelines companies should follow when there is an incident. Given the size and scope of these Yahoo breaches, experts suspect the SEC may try to solidify those requirements.
This could be a major test in defining when a company is required to disclose a hack.https://t.co/iZc3M3A3Dh— Steven H. Shapiro (@shshap) January 23, 2017
Both Yahoo and the SEC declined to answer questions on the investigation.
Learn how the Yahoo breach revealed the need for ethical breach reporting.
Find out what IT execs can learn from the Yahoo breach.
Get info on whether the Sony breach is the new front in corporate cyber warfare.