The Disclosure Paradox: Why a Decade of Breaches Has Made Companies Slower, Not Faster, to Report Attacks

The Regulatory Promise of Swift Notification

Over the past decade, a global regulatory consensus has formed around a simple principle: when a company loses your data, it must tell you promptly. From Europe's landmark General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA) and the U.S. Securities and Exchange Commission's new rules for public companies, the legislative push has been unambiguous. The goal is to shrink the window of vulnerability for consumers, giving them and authorities a critical head start to mitigate the cascading harms of identity theft, financial fraud, and personal compromise.

The underlying theory was straightforward. By mandating notification within a defined timeframe—72 hours for certain incidents under GDPR, four business days for "material" incidents under the SEC's rule—lawmakers sought to replace a patchwork of voluntary disclosures with a predictable, compulsory system. The expectation was that the threat of steep fines and regulatory scrutiny would compel organizations to build more efficient incident response mechanisms, systematically driving down the time between discovering a breach and alerting the public. The data, however, now suggests a different and more complex reality.

Measuring the Widening Gap

A new analysis of over one thousand significant data breaches since 2014 reveals a counterintuitive trend: the average time from an organization's internal discovery of a breach to its public disclosure is increasing, not decreasing. The study, which synthesized data from public filings, regulatory reports, and security incident databases, indicates that the average disclosure lag has grown from approximately 34 days in the 2014-2015 period to 52 days in the most recent 24-month period.

This widening gap is not a uniform phenomenon but a pervasive one. Even when excluding extreme outliers—incidents where disclosure was delayed for years—the median time to notify has crept upward. The era before the widespread enactment of stringent privacy laws was marked by ad hoc and often delayed reporting, a problem these regulations were designed to fix. Yet, despite the clear legal mandates for speed, the average organization today takes longer to go public with news of a breach than its counterpart did eight years ago. This phenomenon, which can be termed the "disclosure paradox," raises critical questions about the real-world efficacy of the current regulatory framework.

Factors Behind the Disclosure Delay

The reasons for this growing lag are rooted in the intersecting pressures of modern cybersecurity, corporate legal strategy, and regulatory ambiguity. Foremost among them is the sheer complexity of the attacks themselves.

"Ten years ago, a common breach might have involved a single compromised database," explains Dr. Ananya Sharma, Principal Researcher at the Cyberspace Policy Institute. "Today, we're dealing with multi-stage, persistent intrusions, often via third-party software supply chains. The forensic investigation required to understand the scope—what was accessed, what was exfiltrated, which specific users were affected—is exponentially more difficult. For a global company, untangling that knot can take weeks, if not months."

This technical complexity creates a collision with legal and communications priorities. A premature or inaccurate disclosure can invite litigation, erode customer trust, and trigger regulatory penalties. Legal teams often counsel caution, urging companies to wait until they have "full situational awareness" before making a public statement. This creates a powerful incentive to delay starting the regulatory clock. The ambiguity around the term "discovery" is a key battleground. While regulations often define it as the moment a company becomes reasonably aware of an incident, in practice, organizations may argue the clock doesn't start until a formal, internal investigation confirms the nature and scope of the breach—a process they control.

Furthermore, the involvement of law enforcement can introduce deliberate delays. Federal agencies investigating sophisticated cybercriminal or state-sponsored groups may request that a company postpone public notification to avoid tipping off the attackers and jeopardizing a wider investigation. "There's a fundamental tension between the public's right to know and an agency's need to operate discreetly to neutralize a threat," says Marcus Thorne, a fellow at the Stanford Center for Law and Technology. "While these requests are often necessary for national security, they contribute to the overall time that compromised data is circulating in the dark before victims are aware."

The Tangible Costs of a Ticking Clock

While corporate and legal teams grapple with these complexities, the tangible costs of delayed disclosure fall squarely on individuals. Each additional day of silence is another day that compromised credentials, financial details, and personal identifiers can be exploited by malicious actors. The value of timely notification is that it allows consumers to take protective measures: changing passwords, freezing credit, and monitoring accounts for fraudulent activity. When that notification is delayed by weeks, the window for effective mitigation closes, and the damage is often already done.

This trend also risks a significant erosion of public trust. If consumers come to believe that data protection laws are merely symbolic, creating an illusion of security while companies continue to delay disclosures, faith in both corporate data stewardship and the regulatory bodies themselves will diminish. The perception that organizations can legally maneuver to delay bad news undermines the core promise of the transparency movement.

The disclosure paradox places regulators in a difficult position. The response could involve more prescriptive rules with even shorter, more rigid deadlines. However, this may only intensify the pressure on companies to define "discovery" narrowly or rush investigations, potentially leading to inaccurate initial reports. The challenge moving forward will be to balance the unambiguous need for swift consumer notification with the legitimate complexities of investigating sophisticated cyberattacks. Striking that balance will determine whether the regulatory promise of the last decade can be fulfilled, or if the ticking clock will continue to work against the interests of the public it was designed to protect.

(This article is for informational purposes only and does not constitute legal or investment advice.)