Why Does it Take a Year to Disclose a Breach?
This is one of my pet peeves. And this is not a mom & pop shop that does have the resources. Just bad management.
The owner of CBS (yes, that CBS) and Paramount, National Amusements, disclosed a breach last week.
Again, we are hearing about it from the Maine AG’s web site, not from them directly.
The company is privately owned, so they don’t have to follow the SEC rules, but they still have to follow state breach disclosure notification rules.
The breach happened in December 2022 – a year ago this month.
The Maine AG filing said that personal information on about 82,000 people was stolen last year.
The company just started notifying people last week. Mostly useless at this point, since any damage was long ago done, but it is useful for lawsuits, I guess.
They did not even discover the breach until August 2023. Why is that?
The data stolen includes banking account numbers or credit card numbers in combination with security codes, passwords or secrets.
The information stolen may be for employees since the notification was signed by the company’s HR chief.
This is a second, separate, breach from the one they already disclosed to the Massachusetts AG in which hackers stole personal information from an unspecified number of customers including names, birthdates, socials and other government ID numbers.
Since the U.S. has opted not to have any national cybersecurity or breach notification laws that apply to everyone, it is likely that these breach notifications will not get any more transparent any time soon.
Credit: Tech Crunch