[bodz]

Discovering a breach is only a fraction of what has to happen before customers/public should be notified of said breach. It's not very helpful to anyone if you put out a press release that just says "we discovered a breach but have no idea who, if anyone, was affected, we have no idea what was stolen, and we have no idea who did it." There have to be investigations that happen prior to any of that being known/released. Investigations to find this type of stuff out usually takes months, and typically involves the FBI or other agencies, which sometimes will actually ask you to keep news of the breach quiet if it might help them track down the perpetrators. You also want time to fix the issue before you go tell the entire world that there's a hole in your security.

I work in cybersec and I would actually say that under 1.5 months from discovery of unauthorized access to releasing this press release (and already having the equifaxsecurity2017 website up and running) is astonishingly fast work.

[mannykannot]

That seems reasonable, up to a point, but it also looks potentially self-serving and open to abuse (especially given the news about stock sales by insiders.) If a company in a position with this level of risk cannot staunch the leak within hours, it should be required to curtail its activities to the extent necessary to stop further leakage, until it has the proximate cause of the problem under control.

Nor should the instigation of credit monitoring be delayed until the investigation is complete. To pick a contemporary analogy, it would be like not informing the public of an approaching hurricane until its precise point of landfall has been determined.

[bodz]

Building off your analogy, you don't order mandatory evacuations every time you see a tropical depression form out in the Atlantic. It's only when the tropical depression actually turns into a hurricane and is on a collision course that you warn the public.

Data breaches are the same. If you put out a press release every time your infosec team discovered an attack, you'd be putting out releases every single day, multiple times a day, even though most of those breaches would turn out to be inconsequential after investigation. The public would become totally desensitized to them. That's why the investigation has to be done to determine if there actually is something to notify the public about.

Now, there's surely a point in the investigation where you "know" that the public needs to be notified, but you aren't completely done with the investigation yet. It would probably be in the public interest to notify then rather than waiting, but I think companies are scared to do this because many companies in the past have been lambasted by the public for doing just that. Apparently people don't like it when you release a statement saying "we had a major breach and some customers are affected but we don't know who yet", so it seems that companies are opting to get all the facts before saying anything.

[mannykannot]

You seem to be saying that, of the two analogies, mine is closer to actual practice.