The U.S. government is notoriously slow — anyone who’s ever participated in jury duty knows this. But in the wake of recent data security breaches at Target and Sony Pictures Entertainment, President Obama recently publicized new legislation that will require corporations to notify customers within 30 days of any possible data breaches.

But the fact is that 30 days is practically an eternity online. This may sound silly, but think of it this way: There are thousands of robots constantly trying to see whether there’s a way to get ahold of a company’s information. And once they find a way in, every single one of those robots is armed to do damage at once.

While I appreciate Obama’s steps to raise awareness for data security, I still don’t know why companies aren’t responsible for immediately notifying customers and law enforcement of a security breach.

The Five-Second Rule Doesn’t Exist in Data



Whether an executive loses a laptop that connects to the company’s virtual private network or a malicious hacker breaches network security, once data is in the wrong hands, it’s compromised. After all, in hacker circles, data is currency. And the juiciest bits of information may find themselves in the hands of criminals before a company has time to react.

Here’s what can happen.

Within seconds: Once hackers are “in,” the company’s data is on the black market within seconds. Hackers want to get as much money out of the data as they can, so they take personal information and sell it.

Within five minutes: Once the data gets in the hands of someone from the black market, it’s easily uploaded into that person’s malicious computer system, which will do one of many things. First of all, it will sniff out vulnerabilities and passwords. Then, those “thousands of robots” I referenced will test the username and password against every site on the Internet.

This might be fairly harmless for the average person, but for some organizations — like the NSA, for example — it wouldn’t take more than an hour for a breach to become a massive problem.

Within 30 minutes: Within 30 minutes of a company’s data being stolen, it’s likely already been used multiple times. Thieves don’t just know the computer systems; they know the financial systems as well. They may only squeeze $20,000 to $30,000 out of the 200,000 credit card numbers from a business’s network, but it won’t take more than 48 hours to run through them all.

Although the police solve most crimes within the first 48 hours, they’re not being notified of data thefts until they’ve been cold cases for 30 days. In this case, the 30-day rule may as well be the 30-year rule. It’s providing the illusion of corporate responsibility, but it’s not useful for the customers — the true victims.

Companies Need to Do More

Because company data can be sold within minutes, time is of the essence for companies that want to diminish damage.

Ideally, customers should be notified via an automatically generated email/text alert the instant a security breach is detected. This way, customers can change passwords and lock down their accounts. However, corporations most likely won’t stand for such measures, as they would be too expensive to implement and create higher cost-per-account operating expenses.

At the very least, a 30-minute rule should be implemented. After all, if a group of teenagers can flatten some dough, add sauce and cheese, throw it in the oven, hand it to a driver, and physically deliver it to a customer’s doorstep in under 30 minutes, there’s no reason an organization should have an issue notifying customers in the same time frame.

It’s a simple matter of including the process in an enterprise’s risk management procedures. A company’s tech department would only need to prioritize one project, and within a few hours, a trained professional would have it completed.

I challenge all businesses that truly care about their customers to set an example beyond what Obama is doing by notifying customers of any breach to their confidential data within 30 minutes. Otherwise, that data is a free-for-all.

Daniel Riedel is the CEO of New Context.

