New submitter Linorgese
quotes a report from The Wall Street Journal
(Warning: paywalled; alternate source
): U.S. authorities are investigating whether Yahoo Inc.'s two massive data breaches should have been reported sooner to investors, according to people familiar with the matter, in what could prove to be a major test in defining when a company is required to disclose a hack.
Last month, the Federal Bureau of Investigation said it had begun an investigation into a 2013 data breach that involved more than 1 billion users' accounts
. That followed Yahoo's disclosure that a 2014 intrusion involved about 500 million accounts. As part of its investigation, the SEC last month requested documents from Yahoo, the Journal said, citing persons familiar with the situation. The agency has been seeking a model case for cybersecurity rules it issued in 2011, legal experts told the Journal. In a November 2016 SEC filing, Yahoo noted that it was cooperating with the SEC, Federal Trade Commission and other federal, state, and foreign governmental officials and agencies including "a number of State Attorneys General, and the U.S. Attorney's office for the Southern District of New York." When Yahoo reported the 2014 breach it said that evidence linked it to a state-sponsored attacker. It has not announced a suspected responsibility for the larger 2013 intrusion, but the company has said it does not believe the two breaches are linked.