From the Washington Post
By Derek Hawkins
Europe’s General Data Protection Regulation requires companies with customers in the E.U. to notify regulators of a breach within 72 hours or face a severe penalty. Fifty-four percent of experts we surveyed supported a similar law in the U.S. The Network is our panel of more than 100 cybersecurity leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)...
There isn't a one-size-fits-all solution, some experts argued. “Timing isn't always the most important part of transparency,” said Steve Weber, founder and director of the Center for Long Term Cybersecurity at the University of California at Berkeley. “And — as most people in the business know — 72 hours isn't enough time to unravel what has really happened in even a moderately complex breach. The intention behind the law may be good, but this provision is just not sensible.”
Steve Weber is a professor in the UC Berkeley School of Information and faculty director of Berkeley’s Center for Long-Term Cybersecurity.