| I am a lawyer and my field do cross this area which the events have transpired. First, yes, everyone should acknowledge that this matter has been handled poorly by their corporate in-house and external lawyers. These should not have happened. The company should face consequences. I advise my data controller corporate clients to reach out to the reporter/whistleblower immediately and have the IT team collaborate, at the very least talk to the person to effectively replicate the exploit so it can be thoroughly fixed. There should even be procedures on how this should be handled. I understand from the article that this is not how it's so done. However, I feel obligated to note some different aspects, all of which are absolutely not intended to condone how this company handled the situation. I want to re-iterate; they should have handled it better. Things to note; 1. They might have already reached out to the data privacy board. The data privacy boards, especially in Europe are very involved in the reporting procedures and in my experience, their experts are very reluctant about public disclosures if the breach/data leak is caused by an exploit. They (sometimes rightfully) do not trust to the private sector's biased explanation that this vulnerabililty has been "fixed" and sometimes effectively prevent public disclosures about the event, allowing only the affected data subjects to be informed about the event. The potential danger of re-exploitation and protection of the public far outweighs the public's (that is persons who are not affected by this breach) right to be informed of such event. Affected persons should be notified. You might not have been aware that these happened. It is their legal obligation to notify the affected data subjects but it is not their legal obligation to notify the reporter that the notifications to the data subjects are made. 2. You did the right thing reaching out to the company and upon some radio silence, contacting the competent authority. But sadly, your duties as a citizen end there. You played your part and did all you could have done if not more. Contacting the company again was not really required. If you found yourself losing sleep, you could have re-contacted the authorities with a data subject request or a right to be informed request. They are legally obligated (under GDPR) to respond to you. 3. Sadly, your e-mail, especially the line below is actually a threat that is actionable under many EU juristictions; I am offering a window of 30 days from today the 28th of April 2025 for [the organization] to mitigate or resolve the vulnerability before I consider any public disclosure.
You cannot disclose this to public. Even with good intentions. This might enable the exploit to actually be exploited by ill-faithed persons and would cause more damage. The company is responsible for this vulnerability and they should face counsequences for their actions or the lack thereof, but going public about an exploit is absolutely ill-advised, even if this is intended to coerce the company into action.Nevertheless, I wanted to re-iterate that this is not intended to condone the company's behaviors in any way. You did the right thing warning them and the authorities but further action might have caused more damage. It is always best to attend to this situations with the guidance of a data privacy legal consultant. |
I suppose the choice of words is the problem here? How should one announce an embargo period?