Yahoo hack may become test case for SEC data breach disclosure rules
By Dustin Volz
WASHINGTON (Reuters) - Yahoo's disclosure that hackers stole user data from at least 500 million accounts in 2014 has highlighted shortcomings in U.S. rules on when cyber attacks must be revealed and their enforcement.
Democratic Senator Mark Warner this week asked the U.S. Securities and Exchange Commission to investigate whether Yahoo and its senior executives properly disclosed the attack, which Yahoo blamed on Sept. 22 on a "state-sponsored actor."
The Yahoo hack could become a test case of the SEC's guidelines, said Jacob Olcott, former Senate Commerce Committee counsel who helped develop them, due to the size of the breach, intense public scrutiny and uncertainty over the timing of Yahoo's discovery.
Yahoo has not specifically addressed when it learned of the 2014 attack. And the vagueness of SEC's 2011 rules on disclosure and its failure to enforce them are drawing equal attention, privacy lawyers and cyber security experts said.
The agency has "been looking for the right case to bring forward," said Olcott.
The agency in 2011 told publicly traded companies to report hacking incidents that could have a “material adverse effect on the business” but did not define that.
SEC has never acted against a company for failing to disclose a cybersecurity incident or threat, and it has brought just two enforcement actions against companies for insufficient data protection, an agency spokesman said.
Lawyers said this reflected difficulty in determining if breaches were material and many companies' belief that reporting on cyber threats generally satisfies the disclosure requirement. Continued...