While 500 million accounts is an historic hack, the toughest questions coming out of the recently disclosed 2014 Yahoo breach have more to do with corporate accountability for disclosing cybersecurity events.
Hacked enterprises are now facing more questions from regulators over disclosure, focusing on what they knew and when they knew it. The "we were victims of a sophisticated hack" defense now requires facts to back it up. And that means enterprises are accountable for what they did and didn't disclose.
The answers to these questions carry hefty consequences, including reputation damage, financial penalties, and potentially corporate demise.
These are the questions Sen. Mark Warner (D-Va.) on Monday asked the Securities and Exchange Commission (SEC) to investigate in the wake of Yahoo's surprise acknowledgement of a two-year-old hack that involved 500 million user accounts. Yahoo is the latest in an emerging trail of companies facing cybersecurity questions over the emergence of stolen data available online today but pilfered years ago.
This year alone, a handful of breaches dating back as far as 2012 have surfaced involving Dropbox, MySpace, Tumblr and LinkedIn. These "hidden breaches" are emerging as a new normal. Inquiring minds want to know why data, stolen years ago, was either never noticed, or worse, purposely kept out of public disclosure.
In essence, post-breach forensics will determine how much blame, if any, the hacked company shares with the hacker.
Warner wrote to SEC Chair Mary Jo White on Monday saying "data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications." Warner wrote, "disclosure is the foundation of federal securities laws and public companies are required to disclose material events that shareholders should know about via Form 8-K within four business days."
The definition of "material events" will become a breach debate topic, and will be the key to monetary and other consequences in all cases.
Warner encouraged White to investigate whether Yahoo and senior executives "fulfilled their obligations" and made "complete and accurate representations about the security of its IT systems." But going forward, you could easily cross out Yahoo and fill in the name of the next breach victim.
For some, their actions, or lack thereof, already have fallen under the scrutiny of regulatory bodies such as the SEC, the Federal Trade Commission (FTC), and state attorneys general.
The SEC and FTC have been creating a track record of defining corporate accountability for cybersecurity with modernized safeguard laws, including cases against Wyndham Hotels and continuing with investigations into hacks such as the Target breach in 2013.
But Yahoo's breach is the most significant to date given it's the largest ever. The final outcome has the potential to be a watershed moment that could establish standards for breach reporting and hefty penalties for those who violate those standards.
Fudging on disclosure is an emerging and disturbing phenomenon.
Symantec's 2016 Internet Security Threat Report noted that breached companies aren't always reporting accurately. "The increasing number of companies choosing to hold back critical details after a breach is a disturbing trend," Kevin Haley, director of Symantec Security Response, said in a release accompanying the report's findings.
Now, regulators and lawmakers are going deeper on liability. And it might just be the push needed to see better security blossom across the internet.