The issue had been debated for some time: in Europe there was no time limit within which providers were strictly required to report an attack, leading to complaints from many customers.
It is not simple, however, to establish the correct deadline for notifying judicial authorities of a breach. In the United States, where the problem was addressed earlier than in Europe, each state has its own story. The result is a considerable variety of rules: in some states, for example, it is enough to notify the attack “sooner or later”, while in others there is a deadline of around 45 days.
The twenty-eight states of the Union therefore decided to tackle the problem firmly, imposing a very tight deadline on IT service companies: no more than one day between the breach and the report to the authority.
The response from providers criticized for slow notifications was not long in coming: operating within such tight times is impossible, they say, and consumers would be the ones to pay.
The reason is the difficulty of quickly recognizing a cyberattack and identifying who has actually been a victim. Imposing such a tight limit, just twenty-four hours, risks making a real understanding of the type of threat impossible, inevitably generating a series of false alarms. It would also be impossible to provide reports that are precise and complete.
Todd Hinnen, a Perkins Coie partner interviewed by SCMagazine, says he supports a maximum time limit for notifications, provided it does not prevent appropriate investigative work. The right notification time can vary, he argues, “but it should still not occur later than 72 hours”.
Want to know how exposed your website is?
EasyAudit WEB checks websites, portals and e-commerce with a professional external audit designed for SMEs.