Requiring a one hour notification time, even for suspected intrusion, means that it's harder for something like that to be swept under the rug and allows for oversight over the organization reporting the breach. It's not a bad thing, and is how most large companies who are under regulatory compliance mandates like HIPAA are operating.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/256/1232#1232