Yahoo Inc. is back in the news this week.
The U.S. Securities and Exchange Commission (SEC) is investigating whether the tech company should have reported its two massive data breaches to investors sooner, according to a story in the Wall Street Journal.
The investigation is significant because it “could prove to be a major test in defining when a company is required to disclose a hack,” according to the WSJ story.
In its quarterly November filing, Yahoo said it was “cooperating with federal, state and foreign” agencies, including the SEC, that were seeking information and documents about a “security incident and related matters.”
Journalists have asked Yahoo specifically when it knew about the 2014 cyber attack wherein email credentials for half a billion accounts were compromised. And then in December, the company announced more than 1 billion user accounts had been compromised back in August 2013 in a separate incident.
The SEC requires companies to disclose cybersecurity risks as soon they are determined to affect investors. You can see a list of the SEC’s cybersecurity regulations here.
While the SEC hasn’t ever brought a case against a company for failing to disclose a cyberbreach, it has brought cases against several firms for failing to have adequate consumer protections against cybertheft.
Are you covered for identity theft?