The recurring theme this week seems to be around the gap between breaches happening and individual victims finding out about them. It’s tempting to blame this on the corporate victim of the breach (the hacked company), but they’re simultaneously dealing with a criminal intrusion, a ransom demand, and class-action lawyers knocking down their doors. They’re in a lose-lose position: pay the ransom and fuel the criminals whilst still failing to escape regulatory disclosure obligations. Disclose early and transparently to individuals, which then provides fuel to the lawyers. Try to sweep the whole thing under the rug and risk attracting the ire of customers and regulators alike. It’s a very big mess, and it doesn’t seem to be getting any better.
