[pipo234]

Basically, a company is only incentivized to disclose compromises that were intentional and financially motivated. That is, a hacker that intends to extort the company, sell the information or abuse it for financial gains will ultimately cause too much noise to keep it under the rug.

If this is what the company anticipates they will have to investigate and disclose.

It the breach is a foreign government or hush-hush data hoarder or the result of plain incompetence, the company can absolutely ignore the problem.

[Veserv]

Not even then. The company is only incentivized to disclose when there is public proof. Until there is public proof or compelling proof submitted by a victim they are not liable for their calculated willful ignorance.

The consequences to a company only manifest when noise is being made with proof. That is totally ridiculous.