The top Democrat on a House panel this week criticized the U.S. Postal Service for waiting to notify employees that a recent breach of the organization’s computer network had compromised their personal information, saying the agency’s justification for the delay “doesn’t fly.”

Rep. Stephen Lynch (D-Mass.), the top Democrat on the House postal subcommittee, said at a hearing on Wednesday that the USPS should have alerted its workers immediately after learning that hackers had copied their data. He also suggested that Congress may need to consider legislation that would force agencies to notify their staff of cyber breaches more quickly.

“If we go with your plan, a U.S. government agency could have the Social Security numbers for all its employees compromised, and you’ll decide based on your own interest when the employees will be notified,” he said.

Randy Miskanic, the head of USPS digital security, testified that the agency did not verify that personal information had been stolen until Nov. 4, even though it realized on Sept. 11 that a potential breach had occurred.

The organization initiated a plan to “evict the adversary” from the network three days later, and it finally notified employees of the problem on Nov. 10.

The FBI and the Department of Homeland Security’s Computer Emergency Readiness Team had advised the Postal Service against revealing the breach too soon, saying such a move could trigger bolder actions from the hackers to sabotage the network, according to Miskanic.

“This valid threat of additional potential damage to the Postal Service and victims was deemed sufficient basis to delay notification and public announcement until after short-term remediation was accomplished,” the postal official said in written testimony for the subcommittee.

Lynch suggested he was not satisfied with the agency’s answers. “The way this should work is, as soon as you know that a file has been compromised and it contains personally identifiable information, Social Security numbers, that employee should be notified,” he said.

The Postal Service is providing its employees with free credit-monitoring services for one year because of the cyber intrusion.