Democratic Senator Mark Warner on Monday asked the U.S. Securities and Exchange Commission to investigate whether Yahoo and its senior executives fulfilled obligations to inform investors and the public about a hacking attack affecting 500 million user accounts.
"Disclosure is the foundation of federal securities laws, and public companies are required to disclose material events that shareholders should know about," Warner said in a letter to SEC Chairwoman Mary Jo White.
Yahoo has faced pointed questions about exactly when it knew about the 2014 cyber attack announced last week that exposed the email credentials of half a billion accounts, a critical issue for the company as it seeks to prevent the breach from affecting a pending takeover of its core business by Verizon Inc.
Warner also asked the SEC to probe whether Yahoo has "made complete and accurate representations" about the security of its information technology systems, and for the agency to evaluate its current thresholds for how and when companies need to report a material data breach.
Although the SEC has longstanding guidance on when publicly traded companies should report hacking incidents, companies that have experienced known breaches often omit those details in regulatory filings, according to a 2012 Reuters investigation.(http://reut.rs/2dblx5S)
In a Sept. 9 regulatory filing with the SEC, Yahoo stated it did not have knowledge of "any incidents of, or third party claims alleging ... unauthorized access" of personal data of its customers that could have a material adverse effect on Verizon's acquisition.
Establishing that Yahoo is liable for damages under SEC rules is a "pretty high bar" in data breach cases, said Robert Cattanach, a lawyer at Dorsey & Whitney who specializes in cyber security.
Yahoo is additionally protected from liability given the relative lack of sensitivity of the data compromised, Cattanach said, though he said both the SEC and Federal Trade Commission were likely to open investigations.
At least one state, Massachusetts, is also seeking more information from Yahoo about the breach, a spokesperson for the state's attorney general told Reuters on Monday.
Yahoo has so far not provided a clear, detailed timeline about when it was made aware of the breach announced Thursday.