I think the criteria of reporting should be something along the lines of "If the data that was stolen is the user's, then report to the user". If it can't be determined what was stolen, just report to everyone. This should be an embarrassing situation for the company.
It is probably not of the greatest interest to hn users, but banks, afaik , report - but not to the public, where I live (except for creditcard leaks).
Wouldn't a major leak potentially create a bank run?
You don't need to be uneducated, insane, or an idiot to withdraw all of your money when you suspect that your bank is going to fail. It can be an individually rational move even if you merely suspect that other customers suspect that your bank is going to fail.
In the US, software regulated under HIPAA must report many breaches through a public website. I know my company is extremely serious about preventing breaches, and I would not be surprised if this law would make companies take things more seriously. Of course, there may be too many breaches for it to have any consequence.
5 comments
[ 6.2 ms ] story [ 24.6 ms ] thread