Under Armour is investigating a recent data breach that purloined customers’ email addresses and other personal information.
Love the apologetics by haveibeenpwned “to be fair they’re also dealing with …” some other related criminal investigation, etc.
If you can’t appropriately manage your risk, and your response, that doesn’t mean the regulations and disclosure requirements should shift, it means, just like your shit security practices that allowed the breach in the first place, your IT team is inappropriately and illegally under-resourced to responsibly and compliantly follow law. They should pay significant penalties for failing to promptly disclose, and if due to insufficient staffing should be required to fix as condition of settlement.
