Download
HTML Embed
HTML EMBED
Click to Copy

Latest Episodes

Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report
Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report
Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report
Download
HTML Embed
HTML EMBED
Click to Copy
Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace
Download
HTML Embed
HTML EMBED
Click to Copy
This Is Uncomfortable
Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report
Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report

Coal comfort

Sep 12, 2019
Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report
Download
HTML Embed
HTML EMBED
Click to Copy

Why do companies wait so long to tell us we’ve been hacked?

Kimberly Adams Sep 11, 2017
Share Now on:
HTML EMBED:
COPY
Photo illustration by Leon Neal/Getty Images

How long can a company hide the fact that your data has been hacked? Depends where you live.

“Forty-eight states have laws that govern notification about security breaches,” said Chi Chi Wu at the National Consumer Law Center. “Most of them use a standard of, you know, ‘as soon as reasonably possible.’”

There’s a lot of wiggle room in “what’s reasonably possible.” Chester Wisniewski of cybersecurity firm Sophos said there are some good reasons why companies delay, like waiting for law enforcement or winnowing down the list of those affected.

“They want to be sure that they’re not notifying everyone and creating undue panic and also undue cost of course, because there is a cost associated with every victim,” Wisniewski said.

Equifax knew in July that the very sensitive data of 143 million customers were in the hands of thieves. Consumers found out last week. There were big gaps with Yahoo, Target, the Office of Personnel Management, too — gaps that could put consumers at additional risk. 

Equifax said in a statement it notified victims “as soon as we had enough information.” Some consumer advocates and lawmakers have called for federal laws mandating how long companies can wait before revealing a data breach.

Marc Rotenberg at the Electronic Privacy Information Center wants stronger notification rules, “but if that national standard operates at a lower level than the protections that the states are currently offering, or discourages states from developing new protections that Washington hasn’t thought of, that would be a mistake,” Rotenberg said. Protections like the ability to call in a credit freeze, a move many are making now.

Rotenberg warned Congress something like the Equifax breech might happen back in 2011 testimony, asking Congress to pass a bill requiring victims of data hacks to be notified within 48 hours. The legislation failed. 

If you’re a member of your local public radio station, we thank you — because your support helps those stations keep programs like Marketplace on the air.  But for Marketplace to continue to grow, we need additional investment from those who care most about what we do: superfans like you.

Your donation — as little as $5 — helps us create more content that matters to you and your community, and to reach more people where they are – whether that’s radio, podcasts or online.

When you contribute directly to Marketplace, you become a partner in that mission: someone who understands that when we all get smarter, everybody wins.