I realize this post is 33 pages in, so who knows who will actually read it, but I have a couple things to say about this.
I have been here since 01/2005, I just got an email TODAY.
If you send out notices in batches how come it took so many days, when I have been here for nearly 9 years. I should have been nearer the top of the list.
I read MR everyday, I have noticed it is different on my phone, so I am not sure why I missed the original post.
Regardless I think it is BS I wasn't emailed SOONER!
I have to say this is the first time I really feel disappointed in this site, and I would like an answer as to why it took so long to let me know about this.
I posted this above. Apparently you missed this:
Everybody says this (not fast enough notification), and few have any idea what they are talking about.
Once a data breach occurs, the organization must assess the extent, scope and vector of attack. The first order of business is to mitigate the attack itself, then preserve any logs and other key information.
Only once that is complete, a forensic examination can begin to determine exactly what information may have been accessed and over what period of time, AND exactly who was affected.
Many times I have seen organizations that know they have had a data breach, but to tie in the names and addresses (physical or email) of their customers with the data that was breached can be very difficult and VERY time-consuming.
All of those steps generally take days, if not weeks to determine. Not to mention drafting the notifications to comply with the different laws in 47 states (that currently have such laws on the books). Also, there are regulatory notifications that sometimes take precedence over consumer notifications.
The worst thing an organization can do is issue a hasty notification and then find out:
1. There actually was not any unauthorized access to personal information, so no notification was necessary;
2. The breach involved more (or less) than originally thought, so the notifications were in error.
Most state laws provide NO specific time (other than reasonable) to notify affected individuals. Some states provide for 45 days. 30 days is generally considered to be "reasonable". Under HIPAA/HITECH, organizations have 60 days to notify affected patients when protected health information is accessed.
These time-periods are built into the laws, because it is not easy to make these determinations in a few days. Although everytime there is a breach, somebody always whines they weren't told fast enough. Believe me, it is much more difficult than you think.
And, by the way, under U.S. law, MacRumors had NO legal obligation to notify
anybody of this event. MR is simply performing good customer service by notifying you at all. Why? Because under the applicable laws, no "personal information" was accessed in order to trigger notification obligations. Okay?
