No One Can Get Cybersecurity Disclosure Just Right

If Facebook and Google’s recent security debacles proved anything, it’s that disclosure is tricky business.

WHEN YOU GIVE an organization your data, and then that data gets exposed or stolen, you probably want to know about it. Seems simple enough. If a friend lost your sweater, you’d expect him to tell you. But a seemingly endless parade of massive data exposures—including, most recently, at Facebook and Google—reveal just how complicated that practice of disclosure can be.

Take Facebook’s massive data breach at the end of last month, which served as the first major test run of disclosure requirements in the European Union’s General Data Protection Regulation. Facebook could face more than $1.5 billion in fines under GDPR just for allowing the breach in the first place. But the company reduced the possibility of an even larger fine by disclosing the incident to regulators within 72 hours of discovering it—a GDPR requirement.