Is there ANY business motivation for any corporation to open such information up sooner than later?

GaProgMan 5 hours ago | parent | next [-]

Depends where they are in the world. I _think_ GDPR would be a good enough business reason, as they set a ticking clock of 72 hours from the breach to notifying individuals who are in the breach. And the fines involved are pretty steep (almost effing vertical for some).

▲

c0balt 5 hours ago | parent [-]

A minor problem with GDPR is enforcement.

At least in germany it feels like you need a very dedicated and persistent person to make the case against a company/service (bonus points if they get media attention). Other countries are a bit better but it generally is not very consistent.

The enforcement for most small to mid-sized companies is often just not present and resources for relevant agencies are often only reluctantly allocated. Ime, in government institutions it is generally not very respected as it "impedes progress".

	▲	bcye 2 hours ago \| parent \| next [-]
		At least there is the very dedicated and persistent https://noyb.eu :)
	▲	visha1v 3 hours ago \| parent \| prev [-]
		[dead]

▲

apimade 5 hours ago | parent | prev [-]

For tech B2B companies where the founders or executive team hold the majority stake in the organisation, yes. A failure to disclose or respond when there is a public notice on an .onion address, or a sample set of your customer data has been published online, creates tangible, direct commercial impact.

You should expect every deal in your pipeline to stall. Your product and company will be flagged by every GRC team, and every stakeholder trying to purchase your product will suddenly need to go to risk committees, or into meetings with CISOs, CTOs, and founders, to explain why buying from you is worth the risk compared to competitors who have not been breached.

If you have not addressed the issue, it becomes a literal deal-breaker. The sooner you write the press release, notify customers, and deal with the underlying problems, the sooner you can turn the incident into a credible story about how you responded, contained it, and improved.

If you do not respond, or you deny it, your deals are dead.

The reason I prefaced this with companies where the founders or executive team hold a majority stake is that I sincerely do not believe the same incentives do not exist for most other companies. The stock price is not meaningfully impacted by incidents like this; it is more affected by vibes, market conditions, and the general tech economy. There are a hundred things that will move the stock price before cybersecurity and data incidents do.

Operating revenue and profit, however, will be impacted. Executives on a death march for growth, who understand that an incident like this can wipe away a year of progress (and essentially their life's work), are far more likely to take it seriously. They are directly exposed to the commercial consequences.

The companies you see trying to sweep this under the rug, or outright ignore it, are usually one of two things.

1. They are so out of touch with their customers that they would rather listen to a lawyer chasing the “ideal legal-risk outcome” than pursue the best financial, customer and cybersecurity risk outcome. In my experience these are executives who are independently wealthy or already come from wealth, and their priority is simply keeping the status quo.

2. They are simply not incentivised to deal with it properly (carrot, nor stick). That is: they don't lose their bonus, they don't face the axe, and they aren't rewarded for doing anything "well" in response to it. They might say they're "inherently" exposed because if the business is impacted, so are they (stock price, performance bonuses) -- but that's incredibly disingenuous, as it's pretty much always not a material difference to them.

For B2C or B2B doing "traditional" stuff? No. The incentive simply just isn't there.

GDPR, CCPA, whatever, hasn't moved the dial.