Every time a major breach hits the headlines, the pressure intensifies: companies must disclose faster, regulators must respond faster, security teams must patch faster. The velocity has become the virtue. But what if our obsession with speed is making us less secure, not more?
Consider the cascade of recent incidents. Schools disrupted by breaches, repositories stolen, millions of records compromised. Each story triggers the same reflexive demand: Why didn't they tell us immediately? Why weren't they faster? The faster-disclosure narrative has become so dominant that questioning it feels almost reckless. But restraint, carefully applied, may actually serve the public better than the current arms race toward instantaneous notification.
Let me be clear about what I'm not arguing. Hiding breaches is indefensible. Transparency matters. But there's a meaningful difference between "timely disclosure" and "disclosure at maximum speed," and we've started conflating them without examining the costs.
Here's the problem: When companies rush to notify affected parties before they've actually determined the scope, nature, and remediation pathway of a breach, they often create panic without useful information. Someone gets notified that their data "may have been accessed" in a breach, but the company doesn't yet know which data, how it will be misused, or what the person should actually do about it. The notification creates urgency but no actionable path forward. It's security theater dressed in transparency language.
Worse, the speed pressure creates perverse incentives. Teams working under impossible timelines make mistakes. They over-disclose to avoid looking like they're hiding something. They under-investigate because they're racing the clock. They issue multiple corrections and updates, eroding trust rather than building it. In trying to move fast, they stumble.
There's also the investigative reality that nobody likes to discuss: understanding a breach takes time. Understanding *what* was taken requires accessing systems that may still be compromised. Understanding *how* someone got in requires forensics that can't be rushed. Understanding *who* is actually affected requires careful data analysis, not guesses inflated to cover liability. A company that takes three weeks to investigate thoroughly and notify accurately provides more value to victims than one that notifies in three days with incomplete information.
The fastest disclosures we've seen have often required subsequent corrections. The most careful investigations have taken weeks. Yet the speed-obsessed rhetoric treats the latter as a failure and the former as responsible. That's backward.
I'm not naive about why companies might delay notification. Self-interest absolutely plays a role, and regulations exist for good reason. But the pendulum has swung so far toward "faster equals better" that we've lost the nuance. Sometimes slower is more responsible.
Consider what responsible restraint actually looks like: A company discovers a breach and immediately begins a rigorous investigation while notifying relevant parties confidentially. They determine scope, understand impact, and prepare clear guidance for affected individuals. They then notify those individuals with complete information and specific, actionable steps. This might take two weeks instead of two days. During those two weeks, the company is working, not stalling.
The current system rewards the appearance of action over the substance of it. A company that notifies in 24 hours gets credit for transparency even if that notification is vague and will require three follow-ups. A company that notifies in two weeks with complete information gets blamed for delay, even though the victim receives more useful information upfront.
We need regulation that mandates *thorough disclosure in reasonable timeframes*, not disclosure at maximum speed. There's a difference. One builds genuine accountability. The other just builds noise.
The breach epidemic won't be solved by moving faster. It will be solved by companies building systems that are harder to breach in the first place, understanding why breaches happen, and taking time to get the response right.
Sometimes, restraint isn't evasion. Sometimes it's professionalism.