In Yahoo's case, the reason for the delay is a fairly simple one. The company didn't know about the breach for years after it happened. Yahoo has said that it first received the information that led it to finding out about the 2013 attack on November 7. Its security team was alerted by outside investigators rather than an internal team.
"[Law] enforcement provided us with data files that a third party claimed was Yahoo user data,” wrote Yahoo's chief information security officer Bob Lord in a blog post. “We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data.”
But even when companies do find a breach on their own, there are other reasons their users may not hear about it right away. The laws around data breaches are complicated and each state has its own standards for when and how breaches must be reported, which can slow down the process. There has been a long political fight over how to streamline conflicts between those laws, but Congress hasn't come to a conclusion yet. And as the debate rages on, consumers — who often have no idea that they should be protecting themselves against potential identification theft from hacks — are the ones who suffer.
On top of that, different types of information require different disclosures. Companies investigating hacks have to parse out whether financial, medical or other data has been taken and whether the theft of that information poses real harm to consumers.
Sorting all of that can take time, particularly when individual states have different guidelines about who needs be notified about what, and when. And companies are often wary of over-notifying customers, for fear of brand damage or, conversely, that breach-fatigued consumers will ignore important messages.
Plus, there are different notification laws in 47 states, plus D.C. and Puerto Rico, according to the National Conference of State Legislatures. (The only three states that do not have data breach notification laws are Alabama, New Mexico and South Dakota.)
Given that patchwork of laws, it can be hard for national companies to figure out what their duties to their customers are, particularly those based in a different state than the company's headquarters. To solve those conflicts, there have been many pushes for a national data breach notification law that provides a baseline standard for when customers should learn about hacks.
But settling on what should be included in a basic law is tricky. Privacy advocates — who generally favor stronger laws on data breach notification — raised concerns about a national data breach notification law proposed by President Barack Obama in 2015, worried that federal standards would override some of the more protective measures passed in individual states such as California.
Still, the latest Yahoo breach has renewed calls for companies to be better about notifying users when their information has been taken.
“These revelations are deeply troubling,” said Sen. Mark R. Warner (D-Va.) in an email to The Post. “If a breach occurs, consumers should not be first learning of it three years later. Prompt notification enables users to potentially limit the harm of a breach of this kind, particularly when it may have exposed authentication information such as security question answers they may have used on other sites.”
Lawmakers have suggested data breach laws be passed along with data security standards — measures designed to have companies such as Yahoo check their systems regularly for problems and head off more breaches in the first place.
In New York, Attorney General Eric Schneiderman has been calling for the state to pass a law that requires companies to have “stronger technical and physical security measures” for their data.
“This latest breach of Yahoo’s servers is a stark reminder that big data hacks are increasingly becoming the new normal,” Schneiderman said in a statement Thursday. “In light of that reality, I urge all New Yorkers to take essential steps to increase security of their personal information online and identify whether or not they’ve been the victim of identity theft.”
Information security experts have also recommended data breach notification laws to be considered together in congressional testimony.
“The law should require, not just encourage, reasonable data security practices from companies that collect, process, and share personal information,” said law professor Woodrow Hartzog in a hearing in 2015. “This will fortify the protection of personal information in the United States and help ensure that fewer breach notifications need to be sent at all.”