Just how do companies decide when to report privacy breaches — to the government, to its customers, and to YOU? The Wall Street Journal has a lengthy piece on the very first steps companies should take upon learning they’ve been hacked. The article says 46 states have laws that specify when a company has to inform people whose records have been exposed in a data breach, but each state interprets the laws differently.
According to the WSJ article:
“Usually, if the data stolen include a name and something like a credit-card or Social Security number, then notification laws are triggered. But sometimes if the data are encrypted or there’s a strong reason to believe that the information won’t be misused, there’s no need to tell anyone. In other cases, credit-card data could be so old that all the cards would have expired. Deciding whether to disclose a breach isn’t just a matter of law. Sometimes companies do it because they’re afraid it will get out or just because they think it’s the right thing to do.”