In Focus: SEC’s Probe over Yahoo Data Breaches Raises Concerns

By Aliah D. Wright Jan 24, 2017

The Securities and Exchange Commission (SEC) is investigating whether two massive data breaches at Yahoo Inc. should have been reported sooner to investors, The Wall Street Journal and others reported.

As SHRM Online reported, Yahoo revealed in December that 1 billion accounts were breached in 2013. That hack is in addition to the one the search engine giant disclosed in September, when the company said that at least 500 million accounts were illegally accessed in 2014.

In the Dec.14 announcement, Yahoo said users' names, e-mail addresses, passwords, security questions and answers, and telephone numbers were exposed. (The Daily Beast, SHRM Online)

A source told The Wall Street Journal the probe is expected to focus on both attacks. Yahoo didn't disclose the 2014 attack for two years, which may have been in violation of civil securities laws. While SEC guidelines from 2011 mandate that companies disclose any security breaches, those guidelines don't stipulate a timeframe, the paper reported. This means the Yahoo case may set a precedent.
"According to people familiar with the matter [this] could prove to be a major test in defining when a company is required to disclose a hack," The Journal reported. (The Wall Street Journal, subscription required)

The probe is yet another reason HR and IT must be vigilant not just in their cybersecurity efforts but in reporting attacks to clients, customers, and staff, experts tell SHRM Online.

Security begins and ends with employee education, training and backing up files:

"Most businesses view the responsibility of mitigating information security risks as being squarely in the purview of their information technology department. However, one study found that human error actually accounted for nearly two-thirds of security compromises, far exceeding causes like insecure websites and hacking," according to a recent SHRM Online article.

As detailed in the fourth edition of the Common Sense Guide to Mitigating Insider Threats from the Carnegie Mellon Software Engineering Institute, security awareness training is critical to improved security. Unfortunately, it is one of the most ignored areas in many organizations' information security plans but it doesn't have to be.

There's a wealth of information on how to keep data secure, such as Foley & Lardner's Employee Information Security Checklist. Foley & Lardner is an international law firm based in Milwaukee. (HR Magazine, SHRM Online)


Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect