The Securities and Exchange Commission (SEC) has reportedly launched an investigation to determine whether Yahoo waited too long before sharing with investors that it had been hit with two major data breaches.
Businesses are required by the SEC to report cyber-risks as soon as they are believed to affect investors. The Wall Street Journal, citing sources familiar with the matter, reports the SEC requested documents in December as part of an inquiry into whether Yahoo obeyed these laws.
Investigators are likely looking into Yahoo's 2014 data breach, which exposed the account information of 500 million users. Yahoo waited two years before disclosing the breach in September 2016, and it botched the delivery.
"They did an awful job at breach notification," says Jeff Pollard, principal analyst at Forrester, of Yahoo's public handling of the data breach. Yahoo's language and communication channels were poorly chosen, he explains, and there was little emphasis on the victims whose data was compromised.
"There was a lot of discussion about Yahoo, but not a lot of discussion about Yahoo users," Pollard notes. The disclosure of an August 2013 breach, which exposed the data of more than 1B users, was "a bit better" when Yahoo made the announcement in December 2016.
However, there is room for improvement. The results of this investigation could have long-term implications for all organizations affected by cybercrime.
"By 2016, data breaches have become common," says Pollard. "That's a sad fact, but it's also true. The bar has been raised for what a good response, and good [customer] notification, looks like."
The current SEC investigation is a signal that cybersecurity is an issue that must be discussed as businesses prepare earnings reports and disclosures, for instance. From a regulatory perspective, he continues, it's a topic nobody can avoid.
As cyber threats continue to grow, companies will be forced to think about how they're investigating data breaches and communicating their findings. Their strategies can affect both brand resilience and customer trust.
How long should companies wait before disclosing security breaches? This will be a difficult question to answer as they balance the importance of a thorough investigation with customer needs.
"It's tough to say you should notify customers quickly because you want to be as thorough as possible," says Pollard. "At the same time, you have an obligation. Once you have some degree of information that allows you to understand how customers and partners might be affected, you should notify them."
It's worth noting that Yahoo disclosed both the 2013 and 2014 data breaches after it agreed to sell core businesses to Verizon last summer, which some experts believe is part of the reason its breaches have become so highly publicized.
"Yahoo is having all this play out in the headlines because of their name and the Verizon deal," says Jonathan Sander, vice president of product strategy at Lieberman Software. "It's all too likely that any IT shop could find themselves in the same boat if they came under this level of scrutiny."
Pollard also questions whether the SEC would be digging into Yahoo's data breaches if not for the potential size of its Verizon deal. Regardless of its outcome, he says, if the legal system begins to consider cybersecurity a material matter, it will inform regulatory bodies they need to think about it as well.