I understand the need for prompt notification, but accurate notification is probably more important. Why cause panic among customers, vendors... unless you know the extent to which the breach took place. Was it 1 customer or was it 1000? How long did the breach last - 1 hour or 1 year? These questions should be able to be answered before it's announced XYZ company had a breach... Reputation risk is at stake. I will say that once it's determined what happened that full disclosure should be made.
I understand the need for prompt notification, but accurate notification is probably more important. Why cause panic among customers, vendors... unless you know the extent to which the breach took place. Was it 1 customer or was it 1000? How long did the breach last - 1 hour or 1 year? These questions should be able to be answered before it's announced XYZ company had a breach... Reputation risk is at stake. I will say that once it's determined what happened that full disclosure should be made.