Why do companies wait so long to tell us we’ve been hacked?

Kimberly Adams Sep 11, 2017
HTML EMBED:
COPY
Photo illustration by Leon Neal/Getty Images

Why do companies wait so long to tell us we’ve been hacked?

Kimberly Adams Sep 11, 2017
Photo illustration by Leon Neal/Getty Images
HTML EMBED:
COPY

How long can a company hide the fact that your data has been hacked? Depends where you live.

“Forty-eight states have laws that govern notification about security breaches,” said Chi Chi Wu at the National Consumer Law Center. “Most of them use a standard of, you know, ‘as soon as reasonably possible.’”

There’s a lot of wiggle room in “what’s reasonably possible.” Chester Wisniewski of cybersecurity firm Sophos said there are some good reasons why companies delay, like waiting for law enforcement or winnowing down the list of those affected.

“They want to be sure that they’re not notifying everyone and creating undue panic and also undue cost of course, because there is a cost associated with every victim,” Wisniewski said.

Equifax knew in July that the very sensitive data of 143 million customers were in the hands of thieves. Consumers found out last week. There were big gaps with Yahoo, Target, the Office of Personnel Management, too — gaps that could put consumers at additional risk. 

Equifax said in a statement it notified victims “as soon as we had enough information.” Some consumer advocates and lawmakers have called for federal laws mandating how long companies can wait before revealing a data breach.

Marc Rotenberg at the Electronic Privacy Information Center wants stronger notification rules, “but if that national standard operates at a lower level than the protections that the states are currently offering, or discourages states from developing new protections that Washington hasn’t thought of, that would be a mistake,” Rotenberg said. Protections like the ability to call in a credit freeze, a move many are making now.

Rotenberg warned Congress something like the Equifax breech might happen back in 2011 testimony, asking Congress to pass a bill requiring victims of data hacks to be notified within 48 hours. The legislation failed. 

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.