The Securities and Exchange Commission (SEC) is currently investigating two enormous data breaches at Yahoo and is looking into the matter to determine whether the company should have reported it to the investors sooner.
The SEC started conducting its investigations in December 2016 and proceeded with the request for relevant documents, as it looks to determine whether Yahoo complied with the civil security laws on the disclosure of the cyberattacks that took place in 2014.
According to legal notifications, tech companies are required to declare the various risks involved while engaging with such disclosures as these may have a detrimental effect on investors.
Yahoo 2014 Data Breach
The Wall Street Journal says that the investigation surrounding the Yahoo security breach is still in its early stage. Therefore, with regard to any penalties or legal implications involved, one would still have to wait.
The investigation is expected to center on a data breach at Yahoo which took place in 2014. During the security breach, at least 500 million users' personal data was compromised. Yahoo went on to reveal this breach two years later in 2016, even though it had linked the incident to state-sponsored hackers in 2014.
Yahoo hasn't been able to explain why it took two years to reveal a breach this massive or who took the decision of not going public with this matter. In mid-December 2016, Yahoo revealed that it had recently discovered that more than 1 billion users' private information was exposed during a data breach in August 2013.
Amid all this, Yahoo faced several hurdles on its way to finalizing the acquisition process with Verizon. With the company's recent claims of hackers stealing the data of almost 500 million users in 2014, there were rumors that Verizon was contemplating backing out of the deal or ask for a $1 billion discount.
The situation worsened with the disclosure of the data breach of 1 billion Yahoo users by an "unauthorized third party."
The investigation now not only lays emphasis on what information that was not revealed to investors but will likely include Verizon. Verizon has also repeatedly stated that it will "evaluate the situation as Yahoo continues the investigation."
The Wall Street Journal states that this could be the first time a federal agency has brought a case against a company for failing to disclose the cyber breach.
Yahoo asserts that it is cooperating with "federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incident and related matters, including the U.S. Federal Trade Commission, the U.S. Securities and Exchange Commission, a number of State Attorneys General, and the U.S. Attorney's Office for the Southern District of New York."