Partners: Reported SEC Investigation Of Yahoo Shows Importance Of Early Breach Reporting, Preparedness
Partners say the reported investigations into Yahoo's multiple data breaches – and the central issue of whether Yahoo moved too slowly to report them – highlight the importance of early breach disclosure and preparedness.
The Wall Street Journal reported Monday, citing unnamed sources, that the Securities and Exchange Commission is in the early stages of an investigation into Yahoo to see if the company failed to report its data breaches as soon as they could affect investors, as is required under law.
The reported investigation comes on the heels of two huge security breaches at Yahoo, the first occurring in late 2014 affecting 500 million users and the second occurring at the end of August 2013 and involving 1 billion user accounts. The breaches were announced in September and December 2016, respectively. The Wall Street Journal report said the SEC investigation likely concerns the 2014 breach.
[Related: The 10 Biggest Data Breaches Of 2016]
While clients often have serious hesitations about disclosing a data breach, partners spoken to by CRN said they usually advise customers to disclose a breach sooner rather than later. They said this reported investigation into Yahoo only serves to further underscore that approach.
"We are actually proponents of early notifications, we know a lot of places will wait till the last possible moment and even balk at disclosing, but we consider it a duty to inform not only the public but the clients of any potential loss of private information," said Matt Johnson, CEO at Baltimore, Md.-based Phalanx Secure Solutions.
Johnson said clients are often hesitant to disclose a breach because they are "afraid of losing face in the public, shareholder or regulatory eyes." He said he advises clients to "get out on top of it early" to counteract those effects, including working with reputational firms for guidance.
"We advise if they are able to get in front of it, it helps save the reputation and lets them move forward in a positive way," Johnson said.
Yahoo isn't just reportedly in hot water with the SEC over slow breach disclosure; the company's pending acquisition by Verizon could be on the rocks, as well. Media reports have said Verizon could also be looking for a discount on its pending $4.83 billion purchase price for the internet company. According to Yahoo's earnings report Monday, the acquisition is still expected to close in the second quarter, a quarter later than originally expected.
To minimize effects like this, Tom Patterson, chief trust officer and vice president of global security at Blue Bell, Pa.-based Unisys, said companies need to be prepared. Before a breach even happens, Patterson said Unisys advises clients to develop a playbook, including writing most of a breach disclosure in advance, engaging lawyers, technical teams and communications professionals. He said this playbook should be actively practiced though a simulated event once a quarter by all parties are on the same page and actively prepared in the event of an incident.
"If you plan that in advance, instead of in reaction mode, you have a much better way to respond and you can really limit the negative repercussions that can happen and get on with serving the best interests of the clients. It a real win up front," Patterson said.
Patterson said Unisys's cybersecurity resilience business is growing strongly, as companies shift to recognize the inevitability of a breach and recognize the importance of being fully prepared. Patterson said customers are turning to trusted security partners, like Unisys, to help them develop, practice and execute these plans.
"We see this happening to more and more companies around the world and it's something we've tied together in the concept of resilience ... It's really: let us help you figure out how to respond so that when things happen you're not ruined both professionally and as a company. A little bit of preparedness goes a long way," Patterson said.