The U.S. Securities and Exchange Commission (SEC) issued a filing indicating it plans to investigate whether Yahoo Inc. could have disclosed its two enormous data breaches sooner, according to media reports.
The SEC requires companies to disclose cybersecurity risks immediately if they have an effect on investors.
Last September, Yahoo disclosed a 2014 cyberattack that exposed the email credentials of half a billion accounts. In December, the company said it had uncovered yet another massive cyberattack wherein 1 billion user accounts were compromised in 2013. Disclosures from Yahoo about the two attacks did not surface until after Verizon agreed to buy Yahoo’s primary business in July. Yahoo has not yet explained why the incidents were not disclosed for years.
The SEC investigation doesn’t come as a huge surprise. Yahoo has come under fire for two huge breaches disclosed after Verizon agreed to buy the company for $4.65 billion. Legislators have been calling for SEC investigations into how the company handled the disclosure of the original hack revealed in September.
This will be the first time the SEC has brought a case against a company for neglecting to disclose a data breach. In this case, it’s the perfect storm, not only because of the pending Verizon sale, but also because Yahoo saw its shares drop instantly after each breach disclosure.
The case may help to define more precise rules about when a company must disclose a hack, something all businesses may want to pay attention to.
Since Yahoo’s disclosure of the second breach, Verizon has reportedly been looking for a big discount if it chooses to go through with the deal at all.