Federal investigations into Yahoo’s handling of two massive data breaches are becoming more serious, legal experts and a recent news report suggest. In the worst case scenario, investigators could conclude actions by Yahoo employees amounted to an illegal cover-up, and possibly even bring criminal charges.
These are the latest twists in a complicated story involving hacks on Yahoo (YHOO) in 2013 and 2014, which affected 1.5 billion customer accounts. The company only reported the breaches in September and December of last year, triggering investigations and putting Yahoo’s planned merger with Verizon (VZ) in jeopardy.
According to a front page Wall Street Journal story, the Securities and Exchange Commission is looking into whether the two breaches should have been disclosed sooner to investors. This is significant because the agency has never pursued charges against a company over a data breach that affected its valuation.
The Yahoo probe comes amid widespread uncertainty over what companies must do if they are hacked. While there are laws about disclosure, they vary from state to state, and the SEC only offers untested guidelines. As a result, the SEC sees the Yahoo situation as an ideal opportunity to clarify its rules, according to unnamed sources in the Journal.
This idea of using Yahoo to clear up the law makes sense, according to Aaron Tantleff, an authority on data breaches at the law firm, Foley & Lardner.
“It involves a big incident that affects valuation and could derail a merger. It’s one of the best potential test cases,” says Tantleff, adding the case could lead to unprecedented criminal charges if it turns out Yahoo, which had been in merger talks when the breach was discovered, orchestrated a cover-up.
There is so far no proof Yahoo hushed up the breaches in order to protect its valuation or a possible deal, but there are a number of red flags, according to Tantleff.
These red flags relate to the 2014 breach, which saw hackers compromise more than 500,000 accounts, gaining access to consumers’ personal information such as email addresses and birth dates, and answers to password-related security questions. (Yahoo says it discovered the separate 2013 breach, which was even bigger, much later).
While Yahoo only disclosed the existence of the 2014 breach last September, the company has since conceded that some employees knew about it the same year. It’s unclear why those employees failed to alert senior executives (or if in fact they did so), but a source familiar with Yahoo has previously told Fortune that the workers did not appreciate the scope or severity of the breach until later.
Meanwhile, Tantleff points to Yahoo CEO Marissa Mayer as another source of potential liability for the company. Specifically, it has emerged that Mayer knew about the 2014 breach as early as July of last year—well before the company publicly disclosed it in September. Verizon only declared its intention to buy Yahoo on July 25, raising questions of whether Mayer and Yahoo deliberately concealed material information from the phone giant and from investors.
There are other possible explanations for Yahoo’s delay in disclosing the hacks. These include a failure to appreciate the significance of the hacks, as the company has suggested, as well as legal uncertainty about its obligations.
Legal Swarm Around Yahoo
The Yahoo hacking incidents are notable not only for their scale—they are the two biggest data breaches in history—but for the intense legal scrutiny they are attracting. The company is facing more than a dozen class action suits over the breach, and also an onslaught of regulatory investigations.
In response to a question about the status of the investigations, a lawyer for the company said Yahoo could only restate the remarks it included in an SEC filing:
“[T]the Company is cooperating with federal, state, and foreign governmental officials and agencies seeking information and/or documents about the Security Incident and related matters, including the U.S. Federal Trade Commission, the U.S. Securities and Exchange Commission, a number of State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York.”
The U.S. Attorney for New York is a notable inclusion on the list because the office is known for prosecuting cyber-crime and white collar criminal cases on behalf of the Justice Department.
In the case of the Yahoo breaches, the U.S. Attorney’s Office is likely conducting an investigation into who carried out the hacks, but it also has the power to bring criminal charges against company executives in the event of a cover-up. A spokesperson for the office declined to comment, as did the SEC.
Get Data Sheet, Fortune’s technology newsletter.
In press releases, Yahoo has blamed “state-sponsored actors” for both of the breaches, a position greeted with skepticism by some in the cyber-security community.
The ongoing controversy over the hacking incidents has taken a toll on the proposed deal between Yahoo and Verizon, leading the phone giant to demand a significant write down and even drop hints it could back out altogether.
Yahoo will announce its latest earnings result at market close on Monday. Its share price is up slightly.