Yahoo, the technology company known for its once-popular search engine and email server, fell victim to the largest data breach in internet history in late 2014 when 500 million user accounts were compromised. The company only announced the breach Sept. 22.

Users and information activists alike are calling the company irresponsible for not disclosing its knowledge of the event to customers as soon as it was discovered, which The Washington Post reports could have been as early as July of this year. Multiple civil lawsuits are already under way by citizens in both California and New York.

That it took almost two years for a corporation as large as Yahoo to detect the data breach is unacceptable; its failure to alert customers the minute the breach was discovered is even worse. The tech giant signed an agreement for Verizon to acquire much of its business, and its lack of disclosure to that company is also irresponsible. No one has benefited from Yahoo’s silence on the matter, not even the company itself.

With millions of accounts compromised, users should have been able to change passwords and account information at the earliest opportunity.  This would have protected not only their Yahoo accounts, which could have sensitive emails and personal information, but accounts on other websites for which they used the same password and email combination, as is common for many.

Given the potential danger to users that was irresponsibly prolonged, the civil lawsuits being filed are completely justified. An internet company Yahoo’s size should have the technology and staff size, if not to prevent the hack, then to detect it as soon as it happened, and it certainly had the ethical obligation to inform users sooner. 

Companies like Target and Home Depot experienced data breaches on a much smaller scale in recent years, but they serve as examples of how to properly respond. Target’s RedCard users were issued new cards with better security protection, and Home Depot paid $19 million in damages to those whose credit cards were compromised, and their hacks affected far fewer people than Yahoo’s.

While state law often mandates immediate disclosure, federal law does not. On a state level, 47 states and Washington D.C. have laws about security breach notification, but Yahoo’s hack exists on more than just a state-by-state level. Virginia Sen. Mark Warner is calling for a U.S. Securities and Exchange Committee investigation, which is not necessarily likely to find a violation because current securities law does not impose a duty of notification.

Yahoo had the responsibility to tell its users as soon as it knew something was wrong. Instead, the company let its customers down. It let its successor, Verizon, down by not fully disclosing the state of affairs, and it let itself down by not being an example of what a corporation should do when it is hacked, which will not help its declining status on the web.