Whack-A-Hack: Contemplating the Timing of Hacking Notifications

UntitledGiven the upset around whether or not the UCLA should have notified people of its system breach in October 2014 (as opposed to May 2015 when they decided hackers had accessed patient information after all), the appropriate time for companies to notify customers of a breach is unclear. Notification laws vary  between states, so everything from personal information to reasonable delay is essentially undefined. For example, California (home of the UCLA) requires notification that there was a breach only if data were compromised; however, Michigan does require notification unless the company is reasonably certain no one was compromised. The two are innocent until proven guilty and guilty until proven innocent, respectively.

Supposing that, by some miracle, all fifty states and extraneous territories had identical notification laws and the UCLA could notify each affected person without the legal obstacle course (idylls are boring, aren’t they?), there remains a discretionary issue. Do we, as humans prone to both oversharing information and panicking unnecessarily, really want organizations like the UCLA telling us every time someone hacks into the system? Is playing whack-a-mole with hackers really the best use of the consumer’s time? 30,000 websites are hacked every day on average (of approximately 240,000,000 active websites, so about 0.0125% of websites are hacked daily), and organizations lose millions  of dollars per year. If Philippa Phitzgerald wants to receive hacking alerts from every company that has her personal information, she’ll no sooner get a new credit card than another alert will pop up.

Better, then, that we’re only notified when it becomes clear we have probably been affected, right? It takes about 156 days to detect a breach, so by the time we would hear about it the damage has likely been done already whether we are notified immediately or after the organization has determined that the hack threatened our data. This in mind, perhaps the question is determining whether we want to know about our potential identity theft often enough that we begin to ignore alerts or delayed so long that there’s little to be done anyway. Do we accept the lesser of two evils?

For more tech news and information delivered right to your inbox, SIGN UP FOR OUR NEWSLETTER.