Depends where they are in the world. I _think_ GDPR would be a good enough business reason, as they set a ticking clock of 72 hours from the breach to notifying individuals who are in the breach. And the fines involved are pretty steep (almost effing vertical for some).
> as they set a ticking clock of 72 hours from the breach to notifying individuals who are in the breach
It doesn't, that 72 hours is for notifying the DPA (Article 33). There is no strict timeline for data subject notification (Article 34), just that it must be done "without undue delay".
And the time limits start running when controller becomes aware of the breach (be it minutes or years after the actual breach). If processor is breached the time limits only start running once they notify the controller. Time limit to notify controller is "without undue delay" (33(2)). I don't think there is a lot of case law around what that exactly means.
And if they don't disclose, nothing happens anyway. Maybe a five figure "cost of doing business" slap on the wrist fine, not considering the amount of users affected. Enforcement is extremely selectiveand bureaucrats essentially operate on "if company in FAANG, take action, else do nothing" programming.
A minor problem with GDPR is enforcement.
At least in germany it feels like you need a very dedicated and persistent person to make the case against a company/service (bonus points if they get media attention). Other countries are a bit better but it generally is not very consistent.
The enforcement for most small to mid-sized companies is often just not present and resources for relevant agencies are often only reluctantly allocated. Ime, in government institutions it is generally not very respected as it "impedes progress".
At least there is the very dedicated and persistent https://noyb.eu :)
NOYB has been ghosting me since January, and EFF since September.
See how many of their cases have been dragging on since almost the beginning of GDPR.
[dead]