We haven’t heard the full story yet about the Global Payments data breach situation.  But what we do know is that the story was broken by Brian Krebs on his blog — not by Global Payments getting out the word.  Global Payments lack of notification underscores an issue that’s got building momentum in the U.S. and abroad — and that’s for a private sector “national data breach notification standard.”  There have been over 50 bills introduced in Congress calling for this kind of standard and it was included as one of the Administration’s legislative proposals.  Many states have enacted their own breach notification laws but the requirements vary and means that businesses in some states are under no legal obligation to let customers know if their credit or debit card or other personal information has been breached.

Supporters want people affected by the breach to get the information quickly so we can take pro-active steps to protect the personal information that has been, or could be, affected.  Others will say that telling us before all the facts are known can cause undue anxiety — what if it turns out that the data wasn’t stolen but was only misplaced?  Or what if all the data was encrypted — should we still be told?

The newly proposed European Regulation on General Data Protection is being reviewed and won’t go into effect for 2 years after its adoption.  One of its key provisions, unless modified, will require businesses to alert the appropriate authorities and the affected individuals within24 hours, whenever feasible, of the discovery of the breach.  U.S. proposals call for notification “within a reasonable time”and build in time for investigating the breach.

But how soon would you like to be notified?  Would you want to hear immediately? After an investigation has been done?  And what if the investigation takes weeks or months?  There’s no right answer but is a question of personal comfort.  Data breaches are on the increase so it’s important to know that whether you hear or not really depends on whether you’re living in a state with such a law.