U.S. Sen. Mark Warner, D-Va., on Monday urged the U.S. Securities and Exchange Commission to investigate whether Yahoo met its legal obligations to keep the public and investors informed about a massive breach of 500 million Yahoo accounts.
In a letter to the SEC, Warner said Yahoo failed to file a Form 8-K disclosure to the public about the breach, and that the company said in a proxy statement on Sept. 9 that it had not experienced any breaches.
Warner said Yahoo knew about the breach as early as July but didn’t inform Verizon, which is in the process of acquiring Yahoo, until Sept. 20. Verizon said on July 25 it would buy Yahoo's internet business for $4.8 billion.
“I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems,” Warner wrote.
He added that fewer than 100 of about 9,000 publicly listed companies have reported a material breach since 2010. “I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,” Warner wrote.
An SEC spokesman declined any comment on Warner’s request. Yahoo didn’t immediately respond.
Separately, Warner is developing bipartisan legislation to create a uniform, nationwide data breach standard that requires timely consumer notification of data breaches inside organizations. Several U.S. states have breach notification policies, including California.
Some analysts on Monday said the U.S. needs more authority to force companies to be more responsible and more forthcoming about breaches. Unless federal authorities get involved, “we will continue to see such egregious breaches, “ said Jack Gold, an analyst at J.Gold Associates. “If Yahoo knew it had been breached and didn’t disclose, it will face mounting criticism and lawsuits, some already started.”
Gold said the concern over Yahoo’s reporting of the breach is “one more reason that I’d argue Verizon should go slow in acquiring Yahoo.”
Roger Entner, an analyst at Recon Analytics, last week defended Yahoo, saying the breach was by an unnamed nation-state, which is an attack that can’t be prevented.
Nonetheless, “Yahoo didn’t disclose fast enough nor did it investigate quickly enough with enough vigor,” Entner said. “The breach happened in 2014 and now we find out about it in 2016. The hackers had two years to exploit whatever they found there. That’s a huge problem. Customers need to be informed more quickly so that the hackers cannot use the data for two years before customers know they need to react.”
Entner also put in a plea for two-factor authentication for access to most websites. “A password and challenge question just isn’t safe anymore. All of that has been thoroughly compromised.”
Patrick Moorhead, an analyst at Moor Insights & Strategy said it's unfortunate that because “industry couldn’t regulate itself, Congress feels it needs to get involved … What Yahoo, Google, Facebook, Twitter and Microsoft should do is get together and agree to a [disclosure] standard and keep the government out of it. We don’t need another bloated government organization and should call on industry to self-regulate.”
Avivah Litan, an analyst at Gartner, urged Congress to pass a federal data breach disclosure law. "It’s not clear to me that Yahoo was legally obligated to disclose this breach under one of the many state disclosure laws -- almost every U.S. State has one -- given the type of relatively low-risk data that was stolen," she said.