The cyberattack that breached at least 500 million Yahoo user accounts in late 2014 is the largest such breach on record and could result in inquiries by federal or international regulators as well as a number of legal and regulatory requirements from state breach notification laws across the United States.

Yahoo has stated that it has been working with law enforcement. The company does not believe unprotected passwords, payment card data, or bank account information was stolen. But other information was, such as names, email addresses, dates of birth, and telephone numbers as well as some passwords and security questions. Yahoo suspects it was hacked by a state-sponsored actor.

Though it may appear that Yahoo is late in publicly disclosing a 2014 breach, it is possible that the work of law enforcement gave the company legal cover from state deadlines, privacy and security lawyers say.

"Almost all of these notification laws have exemptions for where there is law enforcement involvement in an ongoing investigation and law enforcement requires that notification to the public be delayed," said Edward McAndrew, a partner at Ballard Spahr.