As SEC Investigates Yahoo Breach, FTC Reiterates Need for Federal Breach Notification Laws
Following a data breach involving over 500 million accounts and a delay in notifying the public or impacted parties, the Securities and Exchange Commission (SEC) started an investigation into the Yahoo data breach at the request of a Senator. Later at a Senate Committee meeting the Federal Trade Commission (FTC) cited the Yahoo breach reiterating their support for federal data breach legislation.
In late September Yahoo announced that what they believed to be a state-sponsored actor was behind a data breach compromising more than one half billion Yahoo email accounts. Compromised information included names, email addresses, phone numbers, dates of birth, encrypted passwords and security question answers. It is believed the data breach occurred nearly two years ago, in late 2014.
Discovering and announcing the data breach came at inopportune time, as Verizon had recently agree to acquire Yahoo’s core assets. U.S. Senator Richard Blumenthal immediately called for tougher legislation ensuring “companies are properly and promptly notifying consumers when their data has been compromised,” and said it should be investigated “whether Yahoo may have concealed its knowledge of this breach,” because of the pending acquisition by Verizon.
U.S. Senator Mark Warner also reacted to the Yahoo breach and last week requested that the SEC investigate to see if senior executives at Yahoo properly disclosed the breach. The SEC has only brought two enforcement actions against companies related to data breaches or insufficient data protection, and the current SEC imposed requirements are somewhat vague, only requiring publicly traded companies to report data breach or hacking incidents that have a “material adverse effect on the business.”
At a U.S. Senate Committee on Commerce, Science and Transportation held less than one week after Yahoo formally announced the data breach, the FTC once again made a statement on the need for federal data breach notification laws. The FTC said there is need for “federal legislation that would (1) strengthen its existing data security authority and (2) require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach.”
There are data breach notification laws in 47 states, Washington D.C., Guam Puerto Rico and the Virgin Islands. Consumers are less protected in Alabama, New Mexico and South Dakota where there are no such state laws, but even in states where there are breach notification requirements they can vary considerably from state-to-state. John Carlin, assistant attorney general for national security a the Department of Justice referred to the current patchwork of 47 state laws as “ridiculous.”
Meanwhile as large-scale data breaches continue, so too does identity theft. The FTC received nearly 500,000 identity theft complaints in 2015, a 47 percent increase from the year before.
For more information: