U.S. authorities are investigating whether Yahoo Inc.’s two massive data breaches should have been reported sooner to investors, according to people familiar with the matter, in what could prove to be a major test in defining when a company is required to disclose a hack.
The Securities and Exchange Commission has opened an investigation, and in December issued requests for documents, as it looks into whether the tech company’s disclosures about the cyberattacks complied with civil securities laws, the people said. The SEC requires companies to disclose cybersecurity risks as soon as they are determined to have an effect on investors.
The investigation is likely to center on a 2014 data breach at Yahoo that compromised the data of at least 500 million users, according to the people familiar with the matter. Yahoo disclosed that breach in September 2016, despite having linked the incident to state-sponsored hackers two years earlier.
To date, Yahoo hasn’t explained why the company took two years to disclose the 2014 incident publicly or who made the decision not to go public sooner with this information. In mid-December Yahoo also said it had recently discovered an August 2013 data breach that had exposed the private information of more than 1 billion Yahoo users.
The SEC investigation into the disclosures is in its early stages, and it’s too early to say whether it will result in any public action, some of the people familiar with the matter said.
Legal experts say the SEC has been looking for a case to clarify what type of conduct would run afoul of guidance the agency issued in 2011. That guidance required companies to disclose material information about cybersecurity risks and cyber incidents if they determine it could affect investors.
The SEC has investigated multiple companies over whether they properly disclosed hacks, particularly in the wake of the Target Corp. breach in 2013 that compromised up to 70 million credit and debit-card accounts. Target disclosed the incident weeks after the breach began. The SEC investigated and didn’t recommend an enforcement action, Target said in an SEC filing.
Former SEC lawyers said the Yahoo scenario appears to provide a clearer set of circumstances than past scenarios provided. If the SEC brought a case, it could make clearer to other companies what type of disclosures it views as potentially violating the law in this area. Experts also say such a case could help clarify rules over timing because the guidance doesn’t lay out detailed requirements.
The SEC has never brought a case against a company for failing to disclose a cyberbreach, given the blurriness of when an issue might be “material.”
All internet companies face frequent cyberattacks, and such events have rarely had a dramatic impact on a company’s stock price. Yahoo saw its shares drop immediately after each breach disclosure. The SEC has brought cases against several firms it regulates for failing to have adequate customer protections against cybertheft.
In a quarterly securities filing in November, Yahoo said it was “cooperating with federal, state and foreign” agencies seeking information on the 2014 breach. Those agencies include the Federal Trade Commission, the SEC, the U.S. attorney’s office in Manhattan, and “a number of State Attorneys General,” it said.
When asked for comment, a Yahoo spokesman directed The Wall Street Journal to Yahoo’s SEC filings. Representatives of the U.S. attorney’s office in Manhattan and the SEC declined to comment.
A person familiar with the situation said that Yahoo initially believed the breach had affected fewer than the 500 million users it eventually disclosed. Whether the breach, as understood by Yahoo executives back in 2014, was large enough to merit public notification is now a question for investigators.
Yahoo’s board of directors has appointed a committee to investigate the 2014 breach and “the scope of knowledge within the Company,” the company said in an SEC filing.
Yahoo investors weren’t the only ones left in the dark. Both breach disclosures came after the internet company agreed to sell its core business to Verizon Communications Inc. in July, raising questions about whether the deal would be renegotiated or possibly even terminated. Verizon has said the logic of the deal still holds, although it is studying whether the breach causes a drop in Yahoo’s user base or other negative effects before making as decision about how to proceed with the deal. A Verizon spokesman declined to comment.
Although it is unusual for a company to go two years before notifying customers of a breach of the magnitude of Yahoo’s 2014 incident, it can be difficult for investigators to initially determine the full scope of a data breach, said Rob Lee, a fellow at the SANS Institute, an organization that trains computer security professionals.
When Target was hacked in 2013, the company initially determined that 40 million credit and debit-card accounts had been compromised, only later to increase the estimate to 70 million.
But the Yahoo case appears to be unusual, experts said, both because of its scope and the timing of the disclosures. “Here you are talking not just about the potential for a data breach, but a deal blowing up because of a data breach,” said John Reed Stark, a cybersecurity consultant who previously ran the SEC’s office of internet enforcement.
Mr. Stark said it was unusual for criminal prosecutors to take interest in any type of disclosure matter, and essentially unheard of in the context of cyber incident disclosures.
“In my 20 years at the SEC, I never referred a disclosure case to a prosecutor,” he said.
Yahoo is expected to report fourth-quarter earnings Monday after the market closes. The company doesn’t plan to hold a conference call with analysts.
—Ryan Knutson contributed to this article.
Write to Aruna Viswanatha at Aruna.Viswanatha@wsj.com and Robert McMillan at Robert.Mcmillan@wsj.com