Read: “We sprung into action… as soon as we found out.”

In a lot of cases, most hackers are long gone by the time a company learns of a breach. When a company says it took immediate steps, don’t assume it’s from the moment of the breach

Read: “We were forced to tell you.”

Don’t think for a second that a company is doing “the right thing” by disclosing a security incident. In the U.S. and Europe, companies aren’t given a choice.

Most states have some form of...

Read: “It sounds way worse if we say ‘millions’ of users.”

The next time you see a data breach notification that says only a “small percentage” of customers are affected by a breach, think again.

Houzz admitted

Read: “We don’t know who’s to blame, but don’t blame us.”

If a system was exposed or left online without a password, you’d blame the company for lax secur...

Read: “We clearly don’t.”

A phrase frequently featured in data breach notifications.

The reality is that most companies have shown little compassion or care about the privacy or security of your data, but do care about having to expl...

Read: “That we know of.”

“No evidence” doesn’t mean that something hasn’t happened, it’s that it hasn’t been seen yet. Either the company isn’t looking hard enough or it doesn’t know. Even if a company says it has “no evidence” th...

Read: “We’re trying not to look as stupid as we actually are.”

Just because a company says it was hit by a “sophisticated” cyberattack doesn’t mean it was. It’s hyperbole, designed to serve as a “cover your ass” statement to downplay a security incident.Wh...