Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report

Employers better start saying, "Ok zoomer."

Nov 22, 2019

Latest Episodes

Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report
Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report
Download
HTML Embed
HTML EMBED
Click to Copy
Download
HTML Embed
HTML EMBED
Click to Copy
Download
HTML Embed
HTML EMBED
Click to Copy
This Is Uncomfortable
Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report
Download
HTML Embed
HTML EMBED
Click to Copy
Download
HTML Embed
HTML EMBED
Click to Copy
Marketplace Morning Report
Download
HTML Embed
HTML EMBED
Click to Copy
Download
HTML Embed
HTML EMBED
Click to Copy

Why do companies wait so long to tell us we’ve been hacked?

Kimberly Adams Sep 11, 2017
Share Now on:
HTML EMBED:
COPY
Photo illustration by Leon Neal/Getty Images

How long can a company hide the fact that your data has been hacked? Depends where you live.

“Forty-eight states have laws that govern notification about security breaches,” said Chi Chi Wu at the National Consumer Law Center. “Most of them use a standard of, you know, ‘as soon as reasonably possible.’”

There’s a lot of wiggle room in “what’s reasonably possible.” Chester Wisniewski of cybersecurity firm Sophos said there are some good reasons why companies delay, like waiting for law enforcement or winnowing down the list of those affected.

“They want to be sure that they’re not notifying everyone and creating undue panic and also undue cost of course, because there is a cost associated with every victim,” Wisniewski said.

Equifax knew in July that the very sensitive data of 143 million customers were in the hands of thieves. Consumers found out last week. There were big gaps with Yahoo, Target, the Office of Personnel Management, too — gaps that could put consumers at additional risk. 

Equifax said in a statement it notified victims “as soon as we had enough information.” Some consumer advocates and lawmakers have called for federal laws mandating how long companies can wait before revealing a data breach.

Marc Rotenberg at the Electronic Privacy Information Center wants stronger notification rules, “but if that national standard operates at a lower level than the protections that the states are currently offering, or discourages states from developing new protections that Washington hasn’t thought of, that would be a mistake,” Rotenberg said. Protections like the ability to call in a credit freeze, a move many are making now.

Rotenberg warned Congress something like the Equifax breech might happen back in 2011 testimony, asking Congress to pass a bill requiring victims of data hacks to be notified within 48 hours. The legislation failed. 

Fall of the Berlin Wall
Fall of the Berlin Wall
The financial lessons of Germany's reunification 30 years ago.  
Check Your Balance ™️
Check Your Balance ™️
Personal finance from Marketplace. Where the economy, your personal life and money meet.
How We Survive
How We Survive
Climate change is here. Experts say we need to adapt. This series explores the role of technology in helping humanity weather the changes ahead.