This post is authored by Alyse Rankin with input by Peter Micek
For years Access Now has been calling for comprehensive data breach notification laws that would empower us to protect our rights. Now, thanks to an investigation in the United States by the Securities and Exchange Commission (SEC) — the federal agency in charge of enforcing financial securities laws and regulating stock markets — we may soon get important clarification for when a company is required to disclose a breach.
The SEC is investigating whether Yahoo should have disclosed two major data breaches to its investors sooner. The breaches occurred in 2013 and 2014, but were not disclosed until late 2016. In the 2014 breach, state-sponsored and criminal hackers stole the private information of more than 500 million of Yahoo’s users, including “names, email addresses, dates of birth, telephone numbers, and encrypted passwords.” The U.S. Department of Justice has just indicted two Russian government spies and two criminal hackers for the 2014 breach.
If the SEC proceeds with an enforcement action against Yahoo, it would help clarify when a company must publicly reveal a data breach under U.S. federal securities laws. It could also spur more corporations to commit to proactive protection of our digital security and routine data breach disclosure.
Data breaches impact our fundamental right to privacy and erode freedom of expression by undermining confidence in the confidentiality of our communications. And as governments and companies store more data about us, we’re at greater risk for the information being stolen, abused, or manipulated. The U.S. Federal Trade Commission reported that it received 490,220 identity theft complaints in 2015, a 47% increase from 2014.
Things have to change. Those of us impacted by data breaches should receive timely, easy to understand, and comprehensive notice by the companies or agencies breached. We should be able to see clearly how we can get remedy when our data are compromised. Ideally, national governments would protect our rights by passing strong federal data breach notification laws that mandate notifying affected users. Until then, though, state and federal agencies globally — such as the U.S. SEC, the Securities and Exchange Board of India (SEBI), Capital Markets Authority in Kenya, and Hong Kong Securities and Futures Commission (SFC) — should wield power to ensure companies tell us what happened and what we can do about it, and in a timely and comprehensive manner.
When must a company disclose a data breach?
It’s complicated. In the U.S., there are currently no specific disclosure requirements regarding cybersecurity risks and attacks under federal securities laws. However, companies registered with the SEC must provide periodic reports that publicly disclose “material” information about the company to the commission. “Material” means information “substantially likely” that a “reasonable investor” would consider “important to an investment decision.” And in 2011, the SEC Division of Corporate Finance published Disclosure Guidance on Cybersecurity, which gives companies direction on when cybersecurity risks or incidents should be disclosed to the public.
This disclosure guidance suggests that companies should reveal data breaches in various circumstances, including when the breach materially affects the company’s “products, services [or] relationships with customers…or competitive conditions.”
So when SHOULD a company like Yahoo disclose a breach?
In determining if the impact is “material,” U.S. companies need only consider financial and operational impacts that are relevant to investors. However, Access Now believes this standard should be clarified and strengthened to recognize that all breaches exposing user data have a “material” impact on a company’s “products, services [or] relationships with customers…or competitive conditions.”
Here’s why: companies today thrive on this data, and whether or not it is central to the business model or merely used as market research, our personal information, once collected by companies, is integrally connected to products and services. Incidents of breach that expose our data can damage a company’s reputation and destroy our trust. Trust is a key component of the internet economy, and it can impact a reasonable investor’s confidence. Given these facts, we believe that companies should disclose all breaches exposing user data to the SEC.
So what about Yahoo?
The Yahoo breach shows how important timely notification is, and how difficult it can be to figure out who knew what, when. In September of 2016, Yahoo publicly disclosed the 2014 data breach, claiming it discovered the breach only after an internal investigation in July 2016. However, in November 2016, Yahoo admitted that some employees in fact were aware of the hack as early as December 2014. It is also alleged that Marissa Mayer knew about the breach in July 2016, so the information may have been shared right up to the top of the company at that point. This is problematic for Yahoo, because it doesn’t jibe with its regulatory filing on September 9, 2016, stating the company “wasn’t aware of any “security breaches” or “loss, theft, unauthorized access or acquisition” of user data.”
The trouble doesn’t stop there. The SEC is also investigating a 2013 data breach impacting more than one billion people, and in that case it’s also not clear who knew what and when.
Also notable in the Yahoo case — especially for those of us deeply concerned about digital security — is what it means for company practices regarding vulnerabilities. Companies like Yahoo are likely disclose a data breach through filing a Form 8-K, which must be filed within four business days of an “event.” This may not give a company enough time to patch a vulnerability (although the SEC does not require disclosures to be of such detail that it would compromise a company’s own cybersecurity or provide a road map for malicious hacking).
This demonstrates the business case for companies like Yahoo to implement strong, proactive, digital security protections through robust encryption, and then to disclose data breaches in a timely and transparent manner. In a recent regulatory filing, Yahoo said that as a result of the 2013 and 2014 breaches, it has spent over $16 million in legal and investigatory fees and has had 43 class actions suits filed against it. And when Verizon acquired the company, Yahoo’s sale price was reduced by $250 million due in part to these security failures (at the time, we made several recommendations to Verizon to help protect people impacted by the breaches, arguing the company should increase protection for stored user data and provide effective breach notification systems).
Why is the SEC investigation of Yahoo important?
In short, because it can set a high-profile precedent that could help shift norms for digital security and data breach notification.
The SEC has investigated several companies regarding disclosure of data breaches to investors, the most notable being its investigation of Target after a 2013 data breach that compromised the credit and debit card information of no less than 70 million customers. Despite the massive scale and seriousness of this breach, and others like it, the SEC has never proceeded with an enforcement action against any company on these grounds. If it does take such an action against Yahoo, the SEC would set an example that could trigger an industry-wide — and potentially global — move toward proactive digital security protections and swift public disclosure of data breaches.
Should we push for a new federal law in the U.S.?
Yes, but we have to do it carefully. The FTC has called for the development of federal data breach notification legislation that would expand FTC authority to regulate data security and mandate disclosure of data breaches by companies to users. However, privacy advocates have objected to two past attempts at creating federal data breach notification legislation, the Data Security Breach Notification Act of 2014 and the Personal Data Notification and Protection Act of 2015, because they would have undermined stronger state protections. Both measures failed to pass through subcommittee review. As we told the FCC, federal data breach legislation is essential to developing strong privacy standards. It encourages data holders to properly protect data and lets people know when their data has been or is currently at risk. But any federal rules must be strong and allow even stronger state protections.
Since we don’t yet have strong federal data breach notification laws in the U.S., we recommend the SEC give teeth to its disclosure guidance by taking enforcement action against companies that fail to protect user data. SEC action can encourage corporations to take a proactive approach to digital security and do better with public disclosure of data breaches. For their part, investors should pressure companies to come clean about data breaches as soon as possible.
Hiding breaches compounds damage to the people affected, harms digital security by preventing other companies from finding and fixing security holes, and leaves investors and other stakeholders devastated when the full extent of the damage is finally exposed. That’s why we need federal action, by the U.S. Congress and executive agencies, to reset the default on breaches from “hide” to “disclose.”