Heads in the Sand About Third-Party Data Breaches

GroupSense, a cybersecurity intelligence company prowls the dark web looking at data on offer to see if any of it was stolen from its clients. They also notify companies that aren’t clients as a courtesy when their data is for sale. The usual response when that happens is no response, probably because the breached company doesn’t want to know or acknowledge it has been breached. The CEO of GroupSense has some theories about why. The victims might think the notification is a trick of some kind. They also may get too many tips about third party breaches to investigate them all. But the most likely reason is that once notified, they are duty-bound to respond and, depending on relevant notification laws, required to notify their customers. The EU’s GDPR and the newly-enacted California CCPA give organization 72 hours to notify people whose personal data has been compromised, but no regulations have set standards for third-party notifications. Therefore, companies are not obliged to listen if a well-intentioned party tells them they are breached.