The Company That Knew and Said Nothing
When companies delay breach notifications, they transfer the entire cost of a breach to the one person who had no part in causing it.
Morgan finds out on a Tuesday evening, scrolling through the news. Not from the company. Not from the bank. Not from anyone who thought they had a duty to say something. From a journalist who found out first.
The article is six paragraphs long. The breach happened seven months ago. Morgan’s name, date of birth, email address, and payment history have been sitting somewhere they were never supposed to be. The notification is still in a queue. The legal team is still reviewing.
By the time Morgan finishes reading, the account has been live in the wrong hands long enough to matter.
The system is working as designed
Companies are not legally required to disclose data breaches immediately. In the UK, under GDPR, the obligation to notify the Information Commissioner’s Office is seventy-two hours. Notification to individuals is required only when there is a likely high risk to their rights and freedoms — and determining that likelihood is left largely to the organisation doing the determining.
The gap between an event happening and a person learning about it is not a failure of the system. It is the system. Seven months is not unusual in documented cases. Twelve is not unheard of. The disclosure process is managed for legal exposure, reputation, and investor sentiment. The person whose data was taken is, structurally, the last consideration.
None of this requires a villain. The process is run by compliance teams doing their jobs inside a framework designed before the scale of digital exposure was fully understood. The problem is not malice. The problem is architecture.
Whose interests the framework serves
The disclosure framework was built around the assumption that a company’s primary obligation in a breach event is to contain it, assess it, and report it in good order. The individual whose data was taken is a downstream consideration — someone to be managed after the institutional response is complete.
This is an understandable way to design a legal framework. It is not an acceptable way to treat a person. The individual whose data was taken has no independent means of knowing what has happened. They cannot check. Cannot act. Cannot protect accounts, change passwords, alert a bank, or do any of the things that might have reduced the damage. The window in which those actions were possible opens and closes while the disclosure is being reviewed.
The data that was taken does not expire. An address does not change. A date of birth does not change. The value to a criminal does not diminish with time. The delay does not reduce the risk — it transfers it entirely to the person.
The company managed the crisis. Morgan just lived inside it.
What the delay actually costs
The visible cost — fraudulent transactions, identity theft, months of remediation — is measurable, if the person can prove causation in time. Most cannot. The link between a breach notification seven months late and the credit application rejected six weeks ago is not the kind of thing an individual can easily trace through a system designed to obscure its own connections.
The invisible cost is something else. Anyone affected comes to understand, in a way that cannot be undone, that there are institutions holding information about them that will manage a catastrophic failure without telling them until the legal minimum has been met. That the decision about when they deserved to know was made by people they have never met, in a process they had no part in, according to criteria they were never shown.
The relationship between a person and the organisations that hold their data is not a relationship between equals. It never was. But the disclosure framework makes the power difference formal, and applies it at the moment a person is most vulnerable.
The notification system, as it currently operates, serves the organisation managing the breach rather than the person affected by it. It assists the company to discharge its legal obligation at a time and in a manner that suits the company’s interests. The individual affected receives a letter when the process is complete, not when the information might have been useful.
A seven-month delay adds nothing to the individual’s position. The argument that thorough investigation improves the quality of notification is technically defensible. In practice, the person receiving the notification has no way to verify the investigation’s quality, no means to challenge the timeline, and no recourse if the delay increased their exposure.
Every person whose data is in a breach has a different threat profile — different accounts, different vulnerabilities, different ability to act quickly. A single delayed disclosure treats all of them identically, at the moment when individual difference matters most. The person who is digitally confident and financially resilient and the person who is neither receive exactly the same letter, at exactly the same time, containing exactly the same limited information.
My Opinion
The architecture of delayed disclosure is not the result of poor drafting. It reflects a consistent choice about whose interests the legal system was designed to protect. The notification framework was not designed and then found to serve institutions better than individuals. It was designed to serve institutions. The conversation about how to change it will not begin with regulators or compliance teams. It will begin when enough individuals decide that a letter arriving seven months late is not a notification. It is an alibi.
The questions no letter asks
If your data has been in a breach — and statistically, it has — the notification you received, if you received one at all, told you what the company was legally required to say. It did not ask what you think about the system that produced that notification. These are the questions the letter didn’t come with.
Have you ever found out about a breach affecting you through a news story rather than a direct notification?
If you ran a company and discovered a breach, what would stop you from telling your customers immediately?
Should notification timelines be standardised and enforced — and if so, by whom?
What would you want a company to say to you, and when, if your data had been compromised?
These questions sit at the centre of my book The Shadow System — specifically the sections on how companies manage reputational risk against actual risk in the aftermath of a breach.
Authors note
Morgan is a fictional character. Their story is drawn from a combination of professional observation and personal proximity to real events. The experiences described are real. The person is not.
You’re reading The Next Evolution by Neil Catton, articles that explore the human world and the intersection of technology, they try and ask difficult questions - not to scare - but to inform. If someone forwarded this to you, you can subscribe free at neilcatton.substack.com.
Neil Catton is the author of The Next Evolution, The Cognitive Crucible and The Shadow System - available on Amazon, and writes at the intersection of technology, ethics, and human purpose.


