How long can a company hide the fact that your data has been hacked? Depends where you live.
“Forty-eight states have laws that govern notification about security breaches,” said Chi Chi Wu at the National Consumer Law Center. “Most of them use a standard of, you know, ‘as soon as reasonably possible.’”
There’s a lot of wiggle room in “what’s reasonably possible.” Chester Wisniewski of cybersecurity firm Sophos said there are some good reasons why companies delay, like waiting for law enforcement or winnowing down the list of those affected.
“They want to be sure that they’re not notifying everyone and creating undue panic and also undue cost of course, because there is a cost associated with every victim,” Wisniewski said.
Equifax knew in July that the very sensitive data of 143 million customers were in the hands of thieves. Consumers found out last week. There were big gaps with Yahoo, Target, the Office of Personnel Management, too — gaps that could put consumers at additional risk.
Equifax said in a statement it notified victims “as soon as we had enough information.” Some consumer advocates and lawmakers have called for federal laws mandating how long companies can wait before revealing a data breach.
Marc Rotenberg at the Electronic Privacy Information Center wants stronger notification rules, “but if that national standard operates at a lower level than the protections that the states are currently offering, or discourages states from developing new protections that Washington hasn’t thought of, that would be a mistake,” Rotenberg said. Protections like the ability to call in a credit freeze, a move many are making now.
Rotenberg warned Congress something like the Equifax breech might happen back in 2011 testimony, asking Congress to pass a bill requiring victims of data hacks to be notified within 48 hours. The legislation failed.
|This 17-year-old hacked the Air Force|
|A new form of identity theft: account takeover|
|Your computer’s security updates may be annoying, but they’re crucial|