|
Yahoo hack may become
test case for SEC data breach disclosure rules
Send a link to a friend
 [October 01, 2016]
By Dustin Volz
WASHINGTON (Reuters) - Yahoo's disclosure
that hackers stole user data from at least 500 million accounts in 2014
has highlighted shortcomings in U.S. rules on when cyber attacks must be
revealed and their enforcement.
Democratic Senator Mark Warner this week asked the U.S. Securities and
Exchange Commission to investigate whether Yahoo and its senior
executives properly disclosed the attack, which Yahoo blamed on Sept. 22
on a "state-sponsored actor."
The Yahoo hack could become a test case of the SEC's guidelines, said
Jacob Olcott, former Senate Commerce Committee counsel who helped
develop them, due to the size of the breach, intense public scrutiny and
uncertainty over the timing of Yahoo's discovery.
Yahoo has not specifically addressed when it learned of the 2014 attack.
And the vagueness of SEC's 2011 rules on disclosure and its failure to
enforce them are drawing equal attention, privacy lawyers and cyber
security experts said.
The agency has "been looking for the right case to bring forward," said
Olcott.
The agency in 2011 told publicly traded companies to report hacking
incidents that could have a “material adverse effect on the business”
but did not define that.
SEC has never acted against a company for failing to disclose a
cybersecurity incident or threat, and it has brought just two
enforcement actions against companies for insufficient data protection,
an agency spokesman said.
Lawyers said this reflected difficulty in determining if breaches were
material and many companies' belief that reporting on cyber threats
generally satisfies the disclosure requirement.
Yahoo has not offered a precise timeline about when it was made aware of
the breach.
On Sept. 9, it said in an SEC filing it did not know of "any incidents
of, or third party claims alleging ... unauthorized access" of
customers' personal data that could have a material adverse effect on
Verizon Communication Inc's <VZ.N> planned $4.8 billion acquisition of
Yahoo's core business.
Since then, Yahoo has not clarified if it knew of the attack before that
SEC filing. "Our investigation into this matter is ongoing and the
issues are complex," a Yahoo spokesman said last week.
In his letter, Warner asked the SEC to evaluate whether the current
disclosure regime was adequate. He cited reports that fewer than 100 of
9,000 public companies disclosed a material data breach since 2010.
“I don’t know that we need new rules. But in certain situations, you may
need more aggressive enforcement," said Roberta Karmel, a Brooklyn Law
School professor.
[to top of second column] |
A Yahoo logo is pictured in front of a building in Rolle, 30 km (19
miles) east of Geneva, December 12, 2012. REUTERS/Denis
Balibouse/File photo
The SEC in 2014 examined whether cyber disclosure rules needed to be
strengthened and imposed new requirements for broker-dealers and investment
advisers but not public companies.
'PUNISH THE VICTIM'
Some policymakers worry rules compelling prompt disclosure of cyber attacks
could deter companies from cooperating with authorities.
“We cannot blame executives for worrying that what starts today as an honest
conversation about a cyberattack could end tomorrow in a ‘punish the victim’
regulatory enforcement action,” Commerce Secretary Penny Pritzker said this
week.
Congress last year expanded liability protections for companies that share cyber
information with the government, and Pritzker urged granting companies temporary
immunity during the response to a hack.
Amid SEC inaction, the Federal Trade Commission has brought 60 successful data
security cases since 2001 in part, lawyers said, because its authority is
clearer than the SEC's.
Those cases have dealt with deceptive statements by companies and security
lapses. The FTC is hampered by the lack of a national requirement for companies
to notify the public about data breaches.
That idea got widespread support after the 2013 hacking of shoppers' credit card
information from Target Corp. <TGT.N> But legislation proposed by President
Barack Obama in 2015 fizzled.
(Reporting by Dustin Volz; Additional reporting by Joseph Menn, Jim Finkle and
Lisa Lambert; Editing by Jonathan Weber and Cynthia Osterman)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
