Following on from the Yahoo breach last week, Democratic Senator Mark Warner has asked the U.S Securities and Exchange Commission to investigate whether Yahoo and its senior executives fulfilled obligations to inform investors and the public about the hacking attack that affected 500 million user accounts.
Commenting on this news below is Andy Green, Senior Technical Specialist at Varonis, who believes Yahoo would have been facing substantial fines if the upcoming GDPR laws were already in place.
“Under the current EU Data Protective Derivative (DPD), there is no breach notification requirement, which was one of the main motivations for the new General Data Protection regulation (GDPR) that will take effect in 2018. If the GDPR were currently the law and Yahoo hadn’t reported the exposure of 500 million user records to a DPA within 72 hours, it would face massive fines. With a violation of the GDPR’s article 33 reaching as high as 2% of global revenue, Yahoo could have been on the line for more than $90 million.
“Considering that Yahoo reportedly found out about the breach back in the summer, and the hack appears to have happened back in 2014, this is a clear case of breach violation under the GDPR. As the law is being brought in to compel companies to report breaches just like the Yahoo one, we would hope it would have forced them to come clean as soon as they found out. “