CDSA

Delay in Hack Disclosure Could Hurt Yahoo (Fortune)

[svg-table-content]

Whatever the cause, Yahoo’s foot-dragging may be more than poor judgment. It may also be illegal given laws in 47 states that require companies to alert consumers when they’ve been hacked.

The notice periods vary from place to place. Some states require companies to notify customers about data breaches within 30 or 45 days, while others use more general language like “as soon as expedient” and “without unreasonable delay.” In those states, the notice period may be shorter—a recent case pending in California is claiming that even two weeks may be too long, according to Aaron Tantleff, a lawyer with Foley and Lardner.