Ericka Chickowski writes:
As the SAFE Data Act data breach law made its way to the House Energy and Commerce Committee after passing through the Subcommittee on Commerce, Manufacturing and Trade last week, security experts are wondering at the wisdom of a national data breach law that requires notification within 48 hours of a breach’s discovery. While delayed notifications and stonewalling from some companies have been a big problem following data breaches, some security experts believe that an exaggeratedly short notification window will actually end up hurting consumers rather than helping them.
Read more on Dark Reading.
The article cites Larry Ponemon that most consumers think about 30 days is okay. That’s not consistent with what I’ve been seeing recently where people are getting ticked off in they are not notified within two weeks, but in the bigger picture, their 30-day window may be about right in terms of what the average consumer might expect. Brian Prince comments that another Ponemon study showing that breaches cost more when entities start notifying quickly also argues for not jumping the gun. That’s a good point, but let’s not forget Javelin findings that people who receive breach notices are more than 4x more likely to become victims of fraud or ID theft within the 12-month period, so there is some justification there for prompt notification. How often have we seen data thieves start using data within 30 days? It’s not uncommon.