In November 2016 Yahoo announced that it was cooperating with federal, state and foreign agencies, including the US Securities and Exchange Commission (SEC), who were seeking information on the data breaches also announced during 2016. In December, the SEC issued requests for relevant documents from Yahoo, and Yahoo is now reported to be under investigation.
In September 2016 Yahoo announced that it had suffered a breach in 2014. It claimed that ‘state-sponsored’ attackers had stolen data from 500 million users. Two months later it disclosed that an earlier breach from August 2013 had led to the compromise of 1 billion user accounts. Yahoo has not said when it knew about these breaches.
Different agencies have different rules about the disclosure of data breaches. The SEC’s own 2011 rules are considered to be vague, and have never been enforced. It investigated the Target breach, but concluded that its own rules were not broken. These require that incidents that could have a “material adverse effect on the business” should be disclosed, but they do not define what this would be. The sheer size of the two Yahoo breaches combined with the intended acquisition of the organization by Verizon could make this a new test case for the SEC rules.
Yahoo may consider that simply disclosing the breaches before the Verizon acquisition is completed (expected to be during Q1 2017) may be sufficient to comply with the SEC rules. The SEC’s primary concern is to protect investors rather than users. Although it was thought that the breaches might cause Verizon to pull out of the acquisition, this is now thought to be unlikely. Yahoo can therefore argue that non-disclosure has not affected investors.
Verizon originally agreed to pay $4.8 billion for Yahoo, although the New York Post reported that it subsequently sought a $1 billion discount following the first disclosure. The report added, “At the same time, the Yahoo deal team is pushing back hard against any attempts to negotiate the price down, sources said.”
The SEC is best known for its actions against fraud rather than data protection. In October 2016, it ordered one of the Big 4 global audit companies, Ernst & Young, to pay $11.8 million ($1 million fines and $10.8 million in audit fee give-backs plus interest) for missing a major accounting fraud at Weatherford International.
Other agencies are more concerned about the compromise of personal data. In Europe, current data protection laws are enforced by individual national authorities (such as the Information Commissioner in the UK). The Article 29 Working Group comprises representation from all of the national regulators. In October 2016 it wrote to Yahoo asking for breach details: “As Data Protection Authorities (DPAs) in charge of the protection of European individuals’ data, we are deeply concerned by the report and the significant number of EU data subjects which may be affected.”
Any subsequent action from European regulators would come from each individual country concerned. For example, the ICO fined TalkTalk $510,000 in October 2016. Such fines could, however, be dwarfed by those available under the upcoming General Data Protection Regulation. Here, the ICO warns, “A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organization becoming aware of it… Failing to notify a breach when required to do so can result in a significant fine up to 10 million Euros or 2 per cent of your global turnover.”
It seems almost certain that Yahoo did not make its breach notifications within 72 hours of discovery. The implication is that if the GDPR were already operational, Yahoo would have even more problems than it already has.