Cybersecurity reporting is tough. As Wired magazine notes, “Reporting every tiny remediation to a regulator could be impractical, and might discourage organizations from looking for bugs in the first place. But some data exposures do rise to the level of disclosure even when there isn’t evidence that data was actually stolen.”
Drawing lines are tough, and vary dramatically across borders. In the European Union, GDPR is going to necessitate more notices based on incidents that would not require notice in the US. And in the meantime, regulatory agencies will be overwhelmed with the number of investigations that have already come to them in the early days—and will have to delineate just what kinds of disclosures are required, and under what circumstances they are made as investigations mount.