The scale of a second Yahoo breach disclosed Wednesday was staggering enough, exposing information associated with 1 billion accounts. But perhaps even more distressing was that the theft happened three years ago - and had not been reported until now. That probably left a lot of consumers wondering: Why does it take so long to find out that I've been hacked?
In Yahoo's case, the reason for the delay may be a fairly simple one. The company may not have known about the breach. Yahoo has not revealed how it learned about the 2013 attack, but reading between the lines of its announcement, it seems as though its security team was alerted by outside investigators rather than an internal team.
"[Law] enforcement provided us with data files that a third party claimed was Yahoo user data," Bob Lord, Yahoo's chief information security officer, wrote in a blog post. "We analyzed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data."
But even when companies do find a breach on their own, there are other reasons that their users may not hear about it right away. The laws around data breaches are complicated, and each state has its own standards for when and how breaches must be reported, which can slow down the process. There has been a long political fight over how to streamline conflicts between those laws, but Congress hasn't come to a conclusion yet. And as the debate continues, consumers - who often have no idea that they should be protecting themselves against potential identification theft from hacks - are the ones who suffer.
On top of that, different types of information require different disclosures. Companies have to parse out whether financial, medical or other data has been taken and whether the theft poses real harm.
Sorting all of that can take time, particularly when individual states have different guidelines about who needs be notified about what, and when. And companies are often wary of over-notifying customers, for fear of brand damage or, conversely, that breach-fatigued consumers will ignore important messages.
Plus, notification laws vary between states, according to the National Conference of State Legislatures. Only three states do not have such rules: Alabama, New Mexico and South Dakota.
Given that patchwork of laws, it can be hard for national companies to figure out what their duties to their customers are, particularly those based in a state different from the company's headquarters. To solve those conflicts, there have been many pushes for a national notification law that provides a standard for when customers should learn about hacks.
But settling on what should be included in a basic law is tricky. Privacy advocates - who generally favor stronger laws on data-breach notification - raised concerns about a law proposed by President Barack Obama in 2015, worried that federal standards would override some of the more protective measures passed in individual states such as California. Still, the latest Yahoo breach has renewed calls for companies to be better about notifying users when their information has been taken.
"These revelations are deeply troubling," said Sen. Mark Warner, D-Va., in an email to The Washington Post. "Prompt notification enables users to potentially limit the harm of a breach of this kind, particularly when it may have exposed authentication information such as security question answers they may have used on other sites."
Lawmakers and security experts have called for data-breach laws to be passed along with data security standards - measures designed to have companies such as Yahoo check their systems regularly for problems and head off more breaches in the first place.
"The law should require, not just encourage, reasonable data security practices from companies that collect, process, and share personal information," said Samford University law professor Woodrow Hartzog at a hearing in 2015. "This will fortify the protection of personal information in the United States and help ensure that fewer breach notifications need to be sent at all."
© 2016 The Washington Post