Sen. Mark Warner (D-Va.) has asked the SEC to investigate Yahoo! over the hack of more than a half billion accounts.
Yahoo! announced the 2014 breach last week, but Warner wants to know what executives knew and when they knew it.
Warner, cofounder of the Senate Cybersecurity Caucus, wants to know whether Yahoo! complied with federal securities laws to keep the public and investors informed about breaches.
"Data security increasingly represents an issue of vital importance to management, customers, and shareholders, with major corporate liability, business continuity, and governance implications,” wrote Warner, a former tech executive. “Yahoo’s September filing asserting lack of knowledge of security incidents involving its IT systems creates serious concerns about truthfulness in representations to the public. The public ought to know what senior executives at Yahoo knew of the breach, and when they knew it.”
But Warner wants the SEC to dig deeper. "[S]ince published reports indicate fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach since 2010, I encourage you to evaluate the adequacy of current SEC thresholds for disclosing events of this nature," he said.
Yahoo! said Thursday (Sept. 22) it had uncovered a hack of info that might have included "email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers," though it said it does not think the stolen data included banking information.
Warner immediately called for passage of breach notification and said he is currently working on a bill to create a "comprehensive, nationwide and uniform data breach standard."