1k Data Breaches Later, the Disclosure Lag Is Worse
4 hours ago
- #Cybersecurity Ethics
- #Privacy Regulations
- #Data Breach Disclosure
- Have I Been Pwned (HIBP) reached 1,000 data breaches, highlighting ongoing need despite GDPR and CCPA due to disclosure lags.
- Examples like Carnival and Zara show breaches disclosed 43 and 45 days post-leak, while victims remained unaware, worsened by data spreading quickly online.
- Disclosure delays are often justified as needing thorough analysis, but early notification via email addresses is feasible and not prioritized.
- Class action lawsuits post-breach are proliferating, influencing organizations to adopt litigation postures over customer protection, aligning with shareholder interests.
- Privacy regulations like GDPR and CCPA have loopholes allowing companies to avoid notifying individuals if breaches don't meet high-risk or serious harm thresholds.
- Organizations may legally avoid disclosure by arguing breached data (e.g., from ShinyHunters) doesn't qualify as sensitive PII under regulations, delaying or omitting alerts.
- HIBP persists because organizations' goals misalign with public expectation for timely breach notifications, emphasizing a social rather than just legal obligation.