Tip:
Highlight text to annotate it
X
Most people have misunderstandings about how data breaches are discovered. So apart from
leaving a file on a bus, or leaving a computer on a train, which at some point you would
realize “Well, I left that file on a bus”, most companies are alerted to data breaches
not because they have discovered them but because a third party has told them that they
may have been victim of a data breach. So the classic way a company, a large company,
learns about non self-inflicted data breaches is they would get a call. They may get a call
from Bruce, they may get a call from Interpol. Sometimes, these are false alarms, sometimes
they are not, but it will take the company some time to do the forensic work that’s
needed to reveal whether they have been victim of a breach and if so what was taken. And
so the idea that all breaches should be reported if feasible within 24h, you know, for the
file on the bus, that makes perfect sense, but for the broader data breaches these are
difficult questions. We don't have necessarily the right answers but they are important questions
that need to be asked.