[BreachExchange] Could Yahoo be in trouble with the SEC?

[Audrey McNeil]

https://www.washingtonpost.com/news/the-switch/wp/2016/
09/28/could-yahoo-be-in-trouble-with-the-sec/

Yahoo said it learned of its recent massive breach, which affected more
than 500 million user accounts, in August.

Yet on Sept. 9 — after it started its investigation — the company said in a
regulatory filing that it was not aware of "any incidents of, or third
party claims alleging" security breaches, "unauthorized access or use" of
its information technology systems or misuse of personal information that
could significantly impact its business.

This apparent conflict between when it learned about the breach and what it
filed with the Securities and Exchange Commission about its proposed sale
to Verizon has raised questions about what the tech company knew and when.

Companies are required to tell the SEC about events that any "reasonable
investor would consider important in an investment decision," according to
the agency. Independent security experts who looked at the proxy filing say
the company could be on shaky ground if it comes to light that it in any
way understood the seriousness of the breach when it had made that
statement.

Yahoo was very careful in the wording of its Sept. 9 filing, said Kim Phan,
a D.C.-based lawyer specializing in data and privacy security at Ballard
Spahr. "Looking at their exact statement in their filing, they are very
specific — they say 'to our knowledge' we don’t know this was a breach,"
Phan said. "From a legal perspective, it’s not deceptive. However, it
doesn’t mean that they were fulfilling the spirit of the law."

Yahoo said it launched two different hack investigations this summer. The
first one was in July but had no "direct connection" to the massive breach
of 500 million user accounts. It found no evidence of that alleged hack and
closed its probe, the company said.

"In late August, Yahoo chose to begin a separate, comprehensive security
investigation," Yahoo said in a statement to The Washington Post. "That
investigation, which is ongoing, eventually resulted in the information
that was shared publicly on September 22."

However, that still places the proxy filing — and Yahoo's claim that it had
no knowledge of a serious breach — after the start of the company's
investigation in August.

Yahoo declined to elaborate on the Sept. 9 filing. The SEC declined to
comment.

The tech giant is already facing calls for closer scrutiny into the way it
reported the breach. Sen. Mark R. Warner (D-Va.) on Monday called for the
SEC to investigate whether Yahoo failed to fulfill its legal obligations to
shareholders and consumers, in light of the massive breach that exposed the
information of 500 million user accounts.

"I've been on public corporate boards and don’t see how anyone wouldn’t
view this as a material fact," Warner, a former technology executive, said
Tuesday in an interview with The Post. "It's important that we look into
when Yahoo executives had this information, and why did they file on Sept.
9 saying they had no evidence of this."

The question of whether an investigation with serious concerns of a breach
can be enough cause for disclosure is difficult to answer, experts said.

The standard for reporting a breach, Phan said, is whether there could be
material harm to a company. For example, if proprietary information central
to a company's business model were stolen, then that could be considered
material harm. Another example is anything that can significantly damage
the reputation of the company. But harm can be difficult to evaluate,
particularly if a breach is caught and contained quickly.

"There's a risk to reporting," she said, citing bad press around a breach,
even if the intrusion itself doesn't cause the company much harm. "While
companies are being too conservative about reporting, they don't always
need to report everything."

Companies can also sometimes be asked by law enforcement not to disclose
breaches, experts said, to avoid disrupting ongoing investigations.

"Yahoo has been stingy with the facts, but this may be at the request of
U.S. law enforcement or the intelligence community,” said Leo Taddeo, a
former special agent in charge of the FBI's New York cybercrime office and
now chief security officer at security firm Cryptzone. “If, in fact, there
are signs of a state actor, the authorities would definitely prefer to keep
the details out of the public domain. Otherwise, the hackers may get tipped
off to the U.S. government's sources and capabilities."

Yahoo's case especially stands out because of its circumstances. Yahoo is
in the midst of a sale, after all, and its statement that it had no
knowledge of the breach was made in a proxy filing — something experts say
is unusual. If Yahoo wanted to disclose a breach, it would have done so in
a separate filing as it did Sept. 22.

Whether its language in the proxy filing will lead to an SEC investigation
remains unclear.

Since offering its guidance on disclosing breaches in 2011, the SEC has not
penalized any company for failing to do so. And several companies do not
report breaches, Phan said. Sony, for example, which suffered a massive
breach of its records in 2014, never filed a notice with the SEC over that
incident.

That, according to Warner, is also a problem. Warner asked SEC chairman
Mary Jo White to "evaluate the adequacy of current SEC thresholds for
disclosing events of this nature" in his letter. He is also calling for the
government to set some sort of minimum cybersecurity standard for
companies, and for a national data breach disclosure law.

Yahoo, he said, is just the latest example to illustrate that the current
regulatory framework needs work. "This shows that this is an area that’s
changing faster than rules and technology can keep up with," he said. "If
this kind of massive breach doesn’t spur us on, I don’t know what will."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160929/256ee075/attachment.html>