[Veserv]

It continues to be a travesty of breach disclosure that companys are legally allowed to claim the best possible outcome without any proof. Only definitive proof of compromise compels them to indicate any problems at all and they still get to downplay it to the minimal proven consequences.

This is totally ass-backwards. There is negative incentive to do any investigation. A investigation can basically only make things worse as you get to assume no harm when you are ignorant.

They should be required to disclose the worst with only a thorough investigation demonstrating a credible absence of compromise allowing a positive statement.

This incentivizes investigation and properly errs on the side of the victim when assessing risks.

[pipo234]

Basically, a company is only incentivized to disclose compromises that were intentional and financially motivated. That is, a hacker that intends to extort the company, sell the information or abuse it for financial gains will ultimately cause too much noise to keep it under the rug.

If this is what the company anticipates they will have to investigate and disclose.

It the breach is a foreign government or hush-hush data hoarder or the result of plain incompetence, the company can absolutely ignore the problem.

[Veserv]

Not even then. The company is only incentivized to disclose when there is public proof. Until there is public proof or compelling proof submitted by a victim they are not liable for their calculated willful ignorance.

The consequences to a company only manifest when noise is being made with proof. That is totally ridiculous.

[sokoloff]

How would it work to be required to disclose the worst, though? In most instances, you literally can't describe the worst possible case in the first hours/days of the discovery.

You'd be requiring companies to speculate on the outer bounds of something that is simply not knowable.

[Veserv]

That is pretty easy: “We have been breached. Everyone may be affected. Preliminary results of our investigation to come shortly at {URL}.”

Sucks to be them, but then they have a very strong incentive to quickly begin investigation and triage so that they can quickly identify who is actually at risk.

It is ridiculous to sacrifice the victims by keeping them ignorant of the risks they are facing so that the company can save face. They should not be allowed to blindly speculate that everything is perfectly fine which is simply not knowable without a investigation.

[sokoloff]

How long until those become the security equivalent of Prop 65 "causes cancer" warnings? Or the shitshow that DMCA takedowns are today?

What's the burden of proof to confirm that the first sentence in your quote is correct? (Can I just claim to have breached some company and have the law compel them to issue that quote?)

You're frustrated that companies are issuing information-free notices today; your proposal appears to make them issue information-free notices tomorrow.

[Veserv]

Establishing the presence of any data breach is far easier than establishing the exact scope. My proposal moves the burden of proof to just establishing the former and demanding the company prove the latter. This is a division of labor that is common in safety critical industrys with decades of proven results supporting the effectiveness of such a regime.

Your complaint that the situation will just turn into everybody acknowledging that they are hopelessly insecure is a far better situation than now where everybody lies by claiming that they are secure. It results in the acknowledgement of breaches and the acceptance of liability that would be helpful for future legislation that can actually apply penaltys for delivering products that are defective with respect to security.

[Goronmon]

Can I just claim to have breached some company and have the law compel them to issue that quote?

I don't think anyone would have to claim to have breached the company in question.

Just the act of asking the question would compel any company to have to respond "Yes, we have been breached."

[naikrovek]

> That is pretty easy: “We have been breached. Everyone may be affected.

so as a user, just assume this at all times, then. just assume that all of your accounts are hacked or will be in 10 minutes and don't put anything in them that you would not be ok with others knowing. I don't see the difference between just assuming they're all compromised and waiting for a company to tell you that your account may be compromised and that they'll tell you more in 2 years once the investigation is fully completed and everything is known.

[hulitu]

> It continues to be a travesty of breach disclosure that companys are legally allowed to claim the best possible outcome without any proof

> "We have seen no evidence that customer data has been accessed or compromised."

I think they are sincere here. I too have seen windows machines being compromised and the system, with the latest certified antivirus, run hapilly. /s

[SoftTalker]

They are taking advantage of the "innocent until proven guilty" that is really only applicable to criminal charges but many people seem willing to extend it more generally.

The followup question to those kind of statements should always be "do you have any evidence that your accounts are not compromised?"

I.e. absence of evidence is not evidence of absence.

[naikrovek]

> It continues to be a travesty of breach disclosure that [companies] are legally allowed to claim the best possible outcome without any proof.

what proof would you propose that you be shown? how do you prove something didn't happen?