Officials at the U.S. Securities and Exchange Commission are reportedly digging into the timing of Yahoo’s hack disclosures to see whether the incidents should have been announced sooner.
According to a report in the Wall Street Journal, the SEC took up an investigation into the matter and sent out requests for related paperwork back in December. Though the Journal noted the SEC has never yet done so in relation to a “cyberbreach,” the agency could potentially bring a suit against Yahoo for failing to disclose a cyber incident that could affect investors in a timely manner in keeping with guidance the Commission issued in 2011.
Under the microscope here are two breaches announced by Yahoo late last year, including a late 2014 hack announced in September impacting 500 million accounts and an August 2013 infiltration announced in December that impacted more than a billion accounts. Both disclosures occurred more than two years after the fact, and the incidents were not mentioned during negotiations with U.S. wireless carrier Verizon, which agree in July to acquire Yahoo for $4.83 billion.
Though the Journal noted the SEC has investigated other companies – including Target, which announced a breach of its systems within weeks – over hack disclosures, former SEC lawyers told the paper the Yahoo incidents seem to offer a better opportunity for the Commission to clarify the timing mentioned in its 2011 note.
Though several executives have said the Yahoo deal still makes sense, Verizon has been pretty tight-lipped about whether or not it plans to follow through with the deal in light of the incidents. In a short statement back in December, the company said only it will “evaluate the situation as Yahoo continues its investigation” and will “review the impact of this new development before reaching any final conclusions.”