What's in a phrase?
Often, that depends on who is interpreting it.
And when it comes to breach notification, that means counsel, executive leadership, the board, regulators, customers and even your own employees.
Perhaps that is why dozens of states are now talking about more specific breach notification rules, which many in InfoSec oppose because every situation is unique.
Is it better to take extra time and discover most information, then notify with facts? Or is it better to say you were breached but have no clue how bad the damage is because you notified within hours of a breach.
Says the Pew Charitable Trust in a special report, "When Pennsylvania sued Uber last week for waiting more than a year to alert drivers and customers that their personal information had been hacked, the state’s attorney general argued that the ride-hailing company had violated a state law mandating that companies notify people affected by a data breach “without unreasonable delay.”
“Uber hid the incident for over a year, and actually paid the hackers to delete the data and stay quiet,” Attorney General Josh Shapiro said in a statement.
The Pennsylvania lawsuit against Uber and others filed by Los Angeles and Chicago are drawing attention to the vague language in many state laws that defines how quickly consumers must be notified once a data breach is discovered. Pennsylvania’s phrase “without unreasonable delay” is typical of many states, as is “in the most expedient time possible.”
