Friday, 24 June 2011

Is speed a good thing in disclosing security breaches?

How quickly do you feel a company should notify you that your personal data has been exposed as the result of a security breach?

There have been a number of high profile data breaches recently, such as Sony, Epsilon and Honda Canada.  Each company took a different amount of time to notify customers, but that is because they are allowed to.  There are no laws that specify how quickly they must advise you that your private information may have become public.

Sony, who has lost more than 100 million records this year, took 3 days after the detection of the Sony Playstation Network breach to advise customers.

Epsilon, who lost millions of customer account data belonging to more than 50 major companies, contacted people only a day after the breach was discovered.

Honda Canada, who suffered a breach in March, didn't notify people until May.

Reuters is reporting that a new US data breach bill would set a mandatory maximum on the amount of time a company can delay advising the public.  The current version of the bill states that companies don't have to tell the public until 48 hours AFTER the investigation of the breach is complete.  Hopefully that gets strengthened, as an investigation can drag on for a very long time.