I had posted it on the other link as well where Panera Bread's leaks were discussed (1 and 2), but since it is relevant to this discussion, reposting it here. I have edited my conclusion a bit from the original two postings:
Commenting only on the speed of response (or the glacial interpretation of it in Panera's case):
For companies operating in European Union, the General Data Protection Regulation (GDPR) (3) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (4).
I believe UnderArmor's case is the norm we can expect going forward. As most companies are not "tech" in nature, unlike FB which happens to be one, it will make sense for them to keep just one security policy and the legally mandated strictest one may be the dominant policy across the enterprise.
It's worth noting that Article 33(1)[1] states that a breach must be reported to the local supervisory authority unless said breach is 'unlikely to result in a risk to the rights and freedoms of natural persons'. This call is made by the organisation which suffered from the breach, by the way (certainly in the absence of any case law).
It will be interesting to see the interpretation of that clause in action, specifically when looking at information such as IP address which is still considered a grey area.
While the decision to do/not-do is up to the company; They still have to document it (in any case, even non-personal), mention the reason for not reporting (e.g. "it's only an IP address") and make that document available upon request.
So if the breach turns out to be a bit more major than then want every one to think it is and it turns out that it was major in the end, there either is a paper trail or worst case for them no paper trail and probably a worse fine.
Commenting only on the speed of response (or the glacial interpretation of it in Panera's case):
For companies operating in European Union, the General Data Protection Regulation (GDPR) (3) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (4).
I believe UnderArmor's case is the norm we can expect going forward. As most companies are not "tech" in nature, unlike FB which happens to be one, it will make sense for them to keep just one security policy and the legally mandated strictest one may be the dominant policy across the enterprise.
(1)https://news.ycombinator.com/item?id=16739753
(2) https://news.ycombinator.com/item?id=16741391
(3)https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
(4)http://www.bbc.com/news/technology-43592470