Expect Yahoo's handling of data breach to be scrutinised by regulators, says expert

Out-Law News | 23 Sep 2016 | 12:59 pm | 2 min. read

Yahoo can expect data protection authorities around the world to scrutinise its handling of a major data breach it has reported, an expert has said.

Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that regulators are likely to seek an explanation from the internet company over the timing of its notification of the breach.

On Thursday Yahoo announced that it believes the personal data of at least 500 million Yahoo account holders was stolen in a "state-sponsored" cyber attack in late 2014. If confirmed, the data breach would be the largest recorded in history, according to media reports.

Yahoo chief information security officer Bob Lord said data that might have been stolen includes names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. Lord said the company has "invalidated unencrypted security questions and answers so they cannot be used to access an account".

Lord said Yahoo is conducting an ongoing investigation but that it does not look like unprotected passwords, payment card data, or bank account information was stolen. The company is "working closely with law enforcement", he said.

A possible major data breach at Yahoo first came to light earlier this summer when hackers began discussing the availability of Yahoo user data for sale on online forums, according to a report by the New York Times.

In October 2014 Yahoo reported that "a handful" of its servers had "a security flaw", but said at the time that servers were not hit by the so-called 'Shellshock' bug and that no user data was affected.

"In the UK the Data Protection Act requires businesses to implement appropriate measures to safeguard the security of the personal data they hold," Wynn said. "At the moment there is no expectation that the data security measures are foolproof and able to withstand a targeted cyber attack on such an unprecedented scale. However, if data breaches of this kind are to become more prevalent, as current trends are indicating, perhaps the data protection authorities will review that position.

"In this case , however, it is not only the security measures that Yahoo put in place to prevent a cyber attack, but also Yahoo's incident response procedures that are likely to come in for scrutiny by regulators. The authorities are likely to want to know why Yahoo is only now reporting the incident when it appears to have taken place more than 18 months ago and when there were reports earlier this summer about a possible breach," she said.

"The UK's Information Commissioner's Office (ICO) has advised organisations to establish an 'internal breach reporting procedure' so that they can meet their data breach notification obligations under the EU's General Data Protection Regulation (GDPR), which will require data controllers to notify local data protection authorities of personal data breaches they have experienced without undue delay and, where feasible, not later than 72 hours after having become aware of it … unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons'. However, businesses cannot afford to wait until May 2018, when GDPR takes effect, to put in place incident response procedures that enable them to meet this timescale," Wynn said.

"Businesses will face stiff penalties for failure to meet their notification of data protection breach obligations under GDPR, which could result in fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater," she said.

"A recent information rights tribunal ruling in the UK shows that the ICO will expect businesses to notify data breaches in multiple steps, if necessary, to inform it of the nature of incidents, beginning from the point at which they become aware of those breaches. The tribunal said that a single customer complaint about a possible data breach can serve as the trigger for notification and that the duty to notify does not necessarily only kick in once internal investigations into those cases are complete," she said.