The Securities and Exchange Commission is serious about data breaches.
Which is why it fined Altaba (formerly Yahoo!) $35 million for its failure to disclose the breach for 2 years.
The SEC said that Yahoo executives knew within days that Russians had stolen the “crown jewels” (usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers) for hundreds of millions of user accounts, but failed to investigate the breach and to adequately consider whether the breach needed to be disclosed to investors.
Not discussed in the SEC’s order was whether directors and officers who knew of this material fact traded on the inside information omission which could be a criminal act.
Will the other shoe drop?