|
|
|
|
|
|
by mannykannot
3211 days ago
|
|
|
That seems reasonable, up to a point, but it also looks potentially self-serving and open to abuse (especially given the news about stock sales by insiders.) If a company in a position with this level of risk cannot staunch the leak within hours, it should be required to curtail its activities to the extent necessary to stop further leakage, until it has the proximate cause of the problem under control. Nor should the instigation of credit monitoring be delayed until the investigation is complete. To pick a contemporary analogy, it would be like not informing the public of an approaching hurricane until its precise point of landfall has been determined. |
|
|
Data breaches are the same. If you put out a press release every time your infosec team discovered an attack, you'd be putting out releases every single day, multiple times a day, even though most of those breaches would turn out to be inconsequential after investigation. The public would become totally desensitized to them. That's why the investigation has to be done to determine if there actually is something to notify the public about.
Now, there's surely a point in the investigation where you "know" that the public needs to be notified, but you aren't completely done with the investigation yet. It would probably be in the public interest to notify then rather than waiting, but I think companies are scared to do this because many companies in the past have been lambasted by the public for doing just that. Apparently people don't like it when you release a statement saying "we had a major breach and some customers are affected but we don't know who yet", so it seems that companies are opting to get all the facts before saying anything.