Public companies risk running afoul of US data breach laws if they don't disclose a breach and customer data was potentially stolen. So it's a matter or piss off your stockholders or break the law. The only winning move is to have proper security before you get hacked.
> Public companies risk running afoul of US data breach laws if they don't disclose a breach and customer data was potentially stolen.
There are no US data breach laws, only state data breach laws, and they vary significantly from state to state, also in what constitutes "data", "breach", and "disclosure".
So it's not just a matter of breaking the law or not. There are lots of situations where specific companies can not disclose publicly that they've been breached and not run afoul of the law.
I work in the Information Security field, so I'm aware. I don't mean US-wide data breach laws, I mean data breach laws in the US. Many states (100% of the states I support) require disclosure in a certain timeframe if customer data has been disclosed.
