There are always a ton of articles at the end of every year recapping what went wrong. Over on TechCrunch, Zack Whittaker and Carly Page have their annual list of breaches handled poorly. This year’s list includes 23andMe, Change Healthcare, Synnovis, Snowflake, Columbus Ohio, Salt Typhoon, Moneygram, and HotTopic. DataBreaches generally agrees with their recap, although the last two could be replaced by other incidents that failed to disclose transparently. Unfortunately, there are too many of those.
On a daily basis, DataBreaches has criticized those entities that are not disclosing timely or transparently, leaving consumers and patients in the dark about what happened to their information, who’s got it now and where, and what risks they now face.
As the year draws to a close, there is still no federal regulation or law that requires all entities to notify people promptly if a breach has been discovered. And by “discovered,” we do NOT mean after all the forensics are done and everything is tied up in a bow and run by insurers and legal counsel. We mean that entities should let people know that their data is already being leaked on the dark web or hacking forums when they find out that it’s being leaked — even if they don’t know exactly whose data has been leaked yet. And if identity information appears to be involved, then encourage people to put a security freeze on their credit report if they don’t have one already.
We’ll have more to say about the transparency issue when the next edition of Protenus‘s annual Breach Barometer report for U.S. medical and health data is released early in 2025.