Do you mean they should pay off the hackers or ignore that a data breach ever happened? If it's the former then there's some obvious risks there and it's an expensive gamble. If it's the later then it's likely discoverable without their involvement, one of their millions of customers will enter user+mariot@gmail.com as their address and registering that with https://haveibeenpwned.com/ ?
The lack of discovery/disclosure also covered an acquisition, companies not disclosing breaches during acquisitions is something I bet the SEC would be interested in.
The lack of discovery/disclosure also covered an acquisition, companies not disclosing breaches during acquisitions is something I bet the SEC would be interested in.