WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), a member of the Senate Intelligence and Banking Committees and cofounder of the bipartisan Senate Cybersecurity Caucus, sent a letter to the U.S. Securities and Exchange Commission (SEC) calling on the agency to investigate whether Yahoo, Inc. fulfilled its obligations under federal securities laws to keep the public and investors informed about the nature of a security breach that has affected more than 500 million accounts.

“Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” wrote Sen. Warner, a former technology executive. “Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public.  The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it.” 

While Yahoo announced last week that it suffered a major breach in 2014, press reports seem to indicate the company may have been aware of the hack as early as July of this year. Under federal law, public companies are required to disclose material events to shareholders within four business days.

“I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems. Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature,” added Sen. Warner.

Sen. Warner has been a leader in calling for better consumer protections from data theft. In the aftermath of the Target breach that exposed the debit and credit card information of 40 million customers, Sen. Warner in 2014 chaired the first congressional hearing on protecting consumer data from the threat posed by hackers targeting retailers’ online systems. Sen. Warner also partnered with the National Retail Federation to establish an information sharing platform that allows the industry to better protect consumer financial information from data breaches. Sen. Warner currently is working on bipartisan legislation to create a comprehensive, nationwide and uniform data breach standard requiring timely consumer notification for breaches of financial data and other sensitive information.

A full copy of the letter can be found below. A PDF is available here.

The Honorable Mary Jo White

Chair

U.S. Securities & Exchange Commission

100 F Street, NE

Washington, D.C. 20549

Dear Chair White:

I write to you about important federal securities matters pertaining to the Yahoo breach that may have affected 500 million accounts, and the associated lack of disclosure by the company to the public.

Last week, it was reported that Yahoo suffered a major breach in 2014, compromising more than 500 million accounts.  Press reports indicate Yahoo’s CEO, Marissa Mayer, knew of the breach as early as July of this year.  Despite the historic scale of the breach, however, the company failed to file a Form 8-K disclosing the breach to the public.

Furthermore, Yahoo has been engaged in an effort to sell its Internet business, including the unit affected by the breach, to Verizon since at least July 25, 2016, yet Yahoo reportedly did not inform Verizon of the breach until September 20, 2016.  More puzzlingly, the company noted in a proxy statement as recently as September 9, 2016 that, “To the knowledge of Seller, there have not been any incidents of, or third party claims alleging, (i) Security Breaches, unauthorized access or unauthorized use of any of Seller’s or the Business Subsidiaries’ information technology systems.”

Disclosure is the foundation of federal securities laws, and public companies are required to disclose material events that shareholders should know about via Form 8-K within four business days.  Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications.  A breach of the magnitude that Yahoo and its users suffered seems to fit squarely within the definition of a material event.  Additionally, Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public.  The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it. 

I encourage you to investigate whether Yahoo and its senior executives fulfilled their obligations to keep investors and the public informed, and whether the company made complete and accurate representations about the security of its IT systems.  Additionally, since published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010,[3] I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature.  I would also appreciate answers to the following questions:

1. What steps are you taking to ensure investors are receiving timely and accurate information in compliance with federal securities laws with respect to cybersecurity?
2. What is your plan to address what appear to be deficiencies in disclosure with respect to cyber events?

As always, I appreciate your service in this important role.  Thank you for your timely consideration of this matter.

Sincerely,

Mark R. Warner

United States Senator

###