Data breach victims more often than not face delays in critical notifications

Public institutions and private companies have persistently failed to promptly notify individuals when their personal data has been exposed in cyberattacks. Despite mounting regulatory pressure and heightened public scrutiny, recent incidents involving the compromise of personally identifiable information (PII) show that timely notification remains the exception, not the rule.

From healthcare platforms and federal regulators to private contractors and data aggregators, the silence following a breach often lasts for months or longer, leaving millions of individuals vulnerable to fraud and identity theft without their knowledge. Institutional responses have lagged both public expectations and the gravity of the breaches. What connects these breaches is more than just the compromise of sensitive data. It is the collective silence that follows the inertia of institutions that prioritize public image or legal exposure over transparency and public safety.

As cyberattacks grow more sophisticated and frequent, the gap between breach detection and public notification continues to widen. Without enforceable penalties and clearer legal obligations, that gap becomes a window of opportunity for bad actors and a trap for the unsuspecting individuals whose data has already been stolen.

Recent incidents reveal the widening gap between the standards of privacy protection the public demands and the inconsistent, often inadequate actions taken by those responsible for safeguarding this data. While the contexts differ, these cases underscore a shared failure: protecting personal information remains a neglected obligation for many organizations entrusted with that duty.

In Long Beach, California, residents were left in the dark for nearly a year and a half following a significant data breach in November 2023 that compromised the sensitive personal information of over 300,000 individuals. Despite early reports confirming unauthorized access to the city’s network, it wasn’t until April 2025 that formal notifications were issued to affected residents.

By then, however, the compromised data – ranging from Social Security numbers to biometric information and medical records – had been potentially circulating in criminal data markets for 17 months. While city officials claimed the delay was necessary due to the complexity of the forensic investigation, such rationale rings hollow for those who were left unprotected and uninformed.

The breach’s reach extended across multiple city departments and included not just basic identifiers like names and dates of birth, but also financial account numbers, medical provider details, and biometric data, which are precisely the categories of information most prized by cybercriminals seeking to commit identity theft or financial fraud.

Although city leaders, including Mayor Rex Richardson and City Manager Tom Modica, emphasized transparency and security investments moving forward, the damage to public trust had already been done. The city’s subsequent creation of a call center and provision of credit monitoring services appears more reactive than proactive, and far too little, far too late.

The Long Beach incident might be considered an egregious lapse in local data governance, but it is not isolated. One of the most alarming examples is the 2024 breach involving National Public Data, a vast commercial data broker that amassed records on nearly every adult American. In April 2024, security researchers uncovered a breach exposing roughly 2.9 billion records, including names, Social Security numbers, physical addresses, and dates of birth.

Despite the scale of the exposure, National Public Data delayed confirming the breach until August. Victims remained unaware that their most sensitive information had been published on the dark web for months. The incident sparked bipartisan outrage and launched a congressional probe into the company’s security practices and its failure to notify affected individuals in a timely manner.

Another major breach occurred at DISA Global Solutions, a workforce screening company used widely by transportation, logistics, and energy sectors. DISA discovered unauthorized access to its systems on April 22, 2024, but notifications to affected individuals didn’t begin until February 2025, ten months after the breach was discovered. Among those affected were over 14,000 residents of Rhode Island and at least 361,000 in Massachusetts. While DISA cited the need for forensic investigations and regulatory compliance, critics noted that such delays defeat the very purpose of breach notification laws: to allow consumers to act quickly to mitigate harm.

Infosys McCamish Systems, a U.S.-based subsidiary of India’s Infosys, was responsible for one of the most protracted silence periods following a breach. Between October and November 2023, hackers exfiltrated approximately 6.5 million sensitive records, affecting a range of financial services clients. The breach remained undisclosed to the public until September 6, 2024. For nearly a year, those affected had no opportunity to change passwords, freeze credit, or monitor suspicious activity. The delayed disclosure raised serious questions about compliance with data protection laws and the company’s crisis communication strategy.

WebTPA, a third-party health benefits administrator, also failed to meet basic disclosure expectations following a breach that impacted clients of insurance providers such as Transamerica, The Hartford, and Gerber Life. Although the company informed client organizations in March 2024, the breach was not reported to federal regulators until May.

Individual notifications lagged even further behind. In some cases, letters alerting people that their health data had been stolen arrived more than a year after the initial breach. The delays not only jeopardized patient privacy but also exposed the fragmented oversight that plagues health data security across third-party vendors and insurers.

Similarly, Comcast faced backlash after a breach at FBCS, one of its debt collection contractors, exposed the PII of more than 237,000 customers. The breach occurred in February 2024, but FBCS failed to detect it until July. Comcast did not begin informing affected customers until October 2024, eight months after the initial breach. The compromised data included names, addresses, birthdates, and in some cases, Social Security numbers. While Comcast offered identity theft protection services, many argued this fell short of addressing the risk created by months of inaction.

Even federal agencies have demonstrated concerning lapses. A privacy breach occurred recently when the U.S. National Archives and Records Administration (NARA) released more than 60,000 pages of previously classified material related to the 1963 assassination of President John F. Kennedy. This release, mandated by President Donald Trump as part of a broader push for historical transparency, ended up exposing the Social Security numbers and other personal identifiers of individuals who had been involved in Cold War-era intelligence and congressional investigations which had nothing to do with the JFK assassination.

Among those whose information was revealed was Joseph diGenova, a former Senate legal counsel and more recently a Trump campaign lawyer. His name, Social Security number, and other sensitive personal details appeared in unredacted documents, prompting him to announce plans to sue NARA for violating federal privacy laws. According to diGenova, the failure lay not in a hasty push for transparency, but in the incompetence of the officials who were tasked with reviewing the documents for sensitive content.

In response, NARA, with assistance from the Social Security Administration, began efforts to mitigate the fallout. These efforts include issuing new Social Security numbers to affected individuals and offering credit monitoring services. Nonetheless, the backlash has intensified scrutiny over how archival disclosures are handled. While the White House and NARA defended the move as a fulfillment of transparency obligations, critics argue that such transparency cannot come at the cost of personal privacy, especially when the individuals affected are still alive.

The JFK documents incident speaks to a critical challenge in the digital age: the intersection of transparency, historical documentation, and data privacy. When agencies release information to fulfill public interest or legal mandates, the responsibility to protect individuals’ personal data does not disappear. If anything, it becomes more urgent. In this case, the decision to forgo redactions not only endangered individuals, it also set a precedent for future document disclosures where privacy might again be overlooked for the sake of expediency.

Earlier, in March 2023, the U.S. Consumer Financial Protection Bureau (CFPB) disclosed that a now-former employee had improperly transferred the PII of over 256,000 consumers and details from 45 financial institutions to their personal email account. The agency became aware of the breach in February and notified lawmakers in March, but did not inform the public until late April. Worse still, the CFPB never contacted the affected consumers directly, leaving them unaware their data had been mishandled. Lawmakers from both parties criticized the agency’s opacity and apparent indifference toward those whose information had been exposed.

These cases are not isolated, but rather indicative of a broader systemic issue. While most states and federal laws mandate prompt breach notification – often within 30 to 60 days – numerous exceptions, vague definitions, and compliance loopholes allow organizations to delay disclosures without penalty. In many cases, companies cite ongoing investigations, coordination with law enforcement, or internal reviews as reasons for postponing notifications. Yet, these justifications often ring hollow when the consequences for victims include identity theft, fraudulent credit applications, and medical or financial harm.

While the U.S. experiences reflect institutional lapses in both municipal and federal domains, Canada has offered a more constructive contrast. In March 2025, the Office of the Privacy Commissioner of Canada introduced an online privacy breach risk self-assessment tool.

This digital application is designed to guide both businesses and federal institutions through a structured process to determine whether a breach of personal data is likely to cause significant harm. Through a series of targeted questions, the tool helps organizations assess the sensitivity of the data involved and the probability of its misuse. Based on the results, organizations can determine whether they are obligated to notify affected individuals and report the breach to regulatory authorities.

Privacy Commissioner Philippe Dufresne emphasized that this tool responds to the growing scale and severity of privacy breaches. Dufresne said the initiative is intended to make risk assessment and mitigation more accessible and standardized. Under Canada’s Personal Information Protection and Electronic Documents Act, as well as federal privacy laws governing public institutions, organizations are required to notify individuals when a breach presents a “real risk of significant harm.” This includes a wide spectrum of harms, from financial loss and identity theft to emotional distress and reputational damage.

What distinguishes the Canadian approach is its proactive orientation. Rather than wait for the fallout from a breach to necessitate action, the risk self-assessment tool empowers organizations to identify risks in real time and respond accordingly. This process not only protects individuals more quickly but also fosters a culture of accountability. By embedding breach response protocols within a clearly defined legal and technical framework, Canada is advancing a model that balances privacy rights with practical risk management.

Article Topics

Canada  |  cybersecurity  |  data privacy  |  data protection  |  identity theft  |  United States