What did Yahoo know about the huge security breach -- and when?

Federal law requires public companies to promptly disclose 'material events'

There are more and more questions about what Yahoo knew -- and when -- about the massive data breach that may have exposed the private data of 500 million consumers to prying eyes.

Among those probing for answers is U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the bipartisan Senate Cybersecurity Caucus.

Warner has written to the U.S. Securities and Exchange Commission (SEC) calling on the agency to investigate whether Yahoo fulfilled its obligations under federal securities laws to keep the public and investors informed about the security breach.

“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” said Warner, a former technology executive. “Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public.  The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it.”

Four business days 

Press reports have indicated that Yahoo may have known about the breach, which occurred in 2014, as early as July of this year. Under federal law, public companies are required to disclose material events to shareholders within four business days.

“I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems," Warner said in his letter to the SEC. 

Warner has frequently called for better consumer protections from data theft. In the aftermath of the Target breach that exposed the debit and credit card information of 40 million customers, Warner chaired the first congressional hearing on protecting consumer data from the threat posed by hackers targeting retailers’ online systems.

Warner said he currently is working on bipartisan legislation to create a comprehensive, nationwide and uniform data breach standard requiring timely consumer notification for breaches of financial data and other sensitive information.

Other remedies

Besides hardening IT systems against intrusion, a good way to reduce loss of private data is to collect less of it. That's an approach favored by the Electronic Privacy Information Center (EPIC).

EPIC has been uging the Administration and Congress for years to promote privacy enhancing techniques that minimize or eliminate the collection of personally identifiable information.

This year EPIC launched “Data Protection 2016,” a non-partisan campaign to make data protection an issue in the 2016 election, calling it “the most important, least well understood issue” of this election.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.