Or maybe they'll report in a more timely manner. They knew for the entire month of August a breach had occurred and they didn't report it.
It shouldn't take more than a couple days. That's enough time to verify you had a problem and get a good picture of the extent. You might not have all the details nailed down, but you put out the information you know and say "We'll provide more details as they become available."
It seems unlikely that anyone would've cared. The big problem is that they lost everyone's SSNs. The timing around the reporting isn't really why their company is under the guillotine.
Whoever dismantles their company could try to frame it that way, but the rest of the industry will see through that. It won't be a good situation for us to be in.
I wish more folks would use this as an example for why it might be time for us as a society to move on from having identity security hinge on a 9-digit number and a few other pieces of "flimsy" information.
They can advise all they like. When a law gets passed that says private companies cannot refuse or degrade service to any consumer that refuses to disclose certain categories of information that are not directly relevant to the operation of the business with respect to that specific consumer, then I will believe that the government is serious about this.
Right now, a baker can refuse to sell you a cupcake if you won't tell them your SSN. Your electric company can refuse to sell you power if you don't tell them your SSN. The phone company can refuse to give you dial tone. They can even refuse to serve you if your SSN has too many fives in it, or not enough. The character of the SSN currently assigned to you is simply not a protected class for anti-discrimination purposes, even though the difficulty in changing it is somewhere between one's race and one's religion.
So if I as a business wanted to discriminate against a protected class, I could ask for the person’s SSN and refuse service when they don’t provide it?
I agree, though it's not clear to me what we should use for identity security. Any piece of information related to a person is going to get out eventually.
If they had a requirement to report each breach promptly, we'd have known far sooner there was a problem there, and the pressure to improve security would have been higher. They have been leaking for years.
It shouldn't take more than a couple days. That's enough time to verify you had a problem and get a good picture of the extent. You might not have all the details nailed down, but you put out the information you know and say "We'll provide more details as they become available."