Facebook’s recent data breach impacting several millions of people “served as the first major test run of disclosure requirements in the European Union’s General Data Protection Regulation. Facebook could face more than $1.5 billion in fines under GDPR just for allowing the breach in the first place. But the company reduced the possibility of an even larger fine by disclosing the incident to regulators within 72 hours of discovering it—a GDPR requirement. Network security and digital forensic practitioners note, though, that 72 hours isn’t very much time to investigate the scale and scope of an intrusion. That narrow window could also push breach victims to wildly overestimate the impact of a breach, or report unsupported findings to simply meet the requirement and hedge for later. Rapid public disclosure can also complicate active investigations and law enforcement inquiries.”
Source: No One Can Get Cybersecurity Disclosure Just Right | WIRED