Frustrated posts from Facebook users point to confusion over the company's Friday announcement that as many as 50 million accounts may have been compromised. Users of the social media platform want to know if their accounts were used and if so, how and by whom.
But cybersecurity investigations take time — they always have. They can be messy and inconclusive for months, or even years. But because of General Data Protection Regulation (GDPR) enacted this May in the European Union, fast but incomplete notifications are likely the new norm.
GDPR calls for a swift three-day notification period for companies to tell people who may have been affected by a breach. But companies often don't know who precisely got the brunt of the hack among their customers right away. So while notifications may go out, the process of uncovering details in the public eye will be much slower.
"The GDPR requires prompt notice — 72 hours from 'awareness' of the breach. But it doesn't require 'perfect' notice," explains Paul Ferrillo, head of the cybersecurity practice at law firm Greenberg Traurig. "The [regulation] allows an immediate notice within 72 hours, as well as updates to that notice in phases. It comports to the right of the individual to know if there is a breach to protect him or herself."
"It's very hard for even the most skilled practitioners to fully understand the contours of a sophisticated data breach in less than 72 hours," he said.