The Irish data protection commissioner is to consider taking action against Yahoo over the web company's shortcomings around an email data breach last year that affected over 500m people.
Commissioner Helen Dixon said that she would "impose remedial action where the findings require such action".
Ms Dixon made the remarks at the launch of her office's 2016 annual report yesterday, which revealed a record number of data protection complaints.
"We're of the view that it could have been detected sooner and the risks mitigated sooner," Ms Dixon said.
"We are currently finalising our report and will then give Yahoo an opportunity to review and respond to the report."
Ms Dixon said that it is up to Yahoo whether or not it wants to make the report public.
Sanctions available to the Irish data protection watchdog are limited at present, but these will be significantly boosted next year when the EU-wide General Data Protection Regulation (GDPR) comes into effect.
This will allow for fines of up to 4pc of annual turnover or €20m.
Ms Dixon's remarks on Yahoo come after the regulator reported a spike in overall complaints last year to a record level of 1,479.
That was up from 932 in 2015.
In her office's annual report, Ms Dixon said that there were 2,224 security breach notifications reported here, a slight decrease from 2,317 in 2015.
Meanwhile, the DPC office is to double its staff to 130 people and is to seek a second new Dublin office.
The regulator's office, which is responsible for overseeing some of the biggest technology companies in the world, has expanded from 30 people in 2013 to 70 people now.
However, Ms Dixon says that the relentless pace of the work means that further expansion is required.
"Such is the rate of our recruitment programme that an additional nearby premises is now being sought by the DPC to house the further staff members who will join the DPC over the next two years, bringing our Dublin-based staff to around 130," said Ms Dixon.
The regulator intends to hire 35 extra staff this year and a further 25 staff next year.
The extra resources are partially necessary, she says, to prepare for one of the biggest legal events in data protection history next year, when the General Data Protection Regulation takes effect.
"Once the GDPR comes into force on 25 May 2018, the DPC will be the lead data-protection authority for the regulation of multinationals that have their 'main establishment' in Ireland under the one-stop-shop model," Ms Dixon added.