Between knowing and telling
Breach disclosure clocks measure the interval after an organization notices, never the months of compromise before it. The proxy is not the fact.
A breach disclosure regime performs one function. It converts an event that an organization has already identified into a formal notification inside a fixed window. The clock in GDPR Article 33 starts when a controller becomes aware of a personal data breach, and it runs for 72 hours. The rule the SEC codified in Form 8-K Item 1.05 starts when a public company determines that an incident is material, and it runs for 4 business days. The HIPAA Breach Notification Rule starts at discovery and runs for as long as 60 days. Every one of these mechanisms measures the same interval: the distance between the moment an organization knows and the moment it tells.
That interval is the only quantity the system was built to govern. It does not measure the distance between the moment of compromise and the moment of discovery. It cannot, because each clock is anchored to an internal act of recognition rather than to the external fact of intrusion. Awareness under Article 33, determination under Item 1.05, discovery under HIPAA. Three words for one trigger, and in all three the trigger is a state inside the organization, declared by the organization about itself.
After roughly 1,000 publicly cataloged breaches, the disclosure numbers do not show companies filing more slowly. Many file well inside the statutory window. The numbers show something else. The figure the system reports has drifted away from the figure that decides whether anyone was protected. The system publishes the lag it was designed to see. The lag that determines consequence is the one it was never pointed at.
The trust model underneath every notification statute rests on one assumption. Discovery is a faithful proxy for compromise. The regime assumed that when an event occurred, the organization would know, and would know soon enough that the moment of knowing and the moment of harm sat close together on the same timeline. The 72-hour window in Article 33 is only meaningful if awareness arrives shortly after the event it describes. A 4-business-day filing under Item 1.05 is only protective if the determination of materiality tracks the material event that provoked it. The window was calibrated against a delay that was assumed to be small.
This is a trust model built on persistence and transferability. Persistence, because it assumed the relationship between an intrusion and its detection would hold steady across time, that a compromise found in one era and a compromise found in another would surface on comparable schedules. Transferability, because it assumed the internal event that starts the clock, the declaration of awareness, could stand in for the external event that caused it. The statute trusts the organization’s recognition to represent reality. It delegates the definition of when a breach occurred to the moment the organization concedes it noticed.
Nothing in the design validates that delegation. The regulation does not, and structurally cannot, inspect whether discovery was timely. It accepts the reported trigger as given. Awareness is self-declared, materiality is self-assessed, discovery is self-dated. The system treats the proxy, the internal moment of recognition, as if it were the thing itself, the external moment of compromise. While those two moments stayed close, the proxy held. The entire regime depends on a gap it does not measure remaining small.
What changed was not the sophistication of the adversary and not the diligence of the parties filing the reports. What changed was the validity of the assumption. The gap between compromise and discovery, the interval the system chose not to measure, stopped being small. Measured dwell time, the number of days an intrusion persists before anyone identifies it, has for years run into the hundreds of days where detection never fires and into weeks even where it functions as intended. The moment of consequence and the moment of awareness came apart.
The disclosure system did not re-evaluate its trust when this happened. It inherited its clocks from an earlier state of the world, one in which intrusions were louder, in which a compromise announced itself through a defaced page, a ransom note, a locked screen, and in which discovery followed consequence by days. Article 33 still starts at awareness. Item 1.05 still starts at determination. The HIPAA clock still starts at discovery. The triggers are unchanged. The reality they were once calibrated against is not.
So the measured lag holds steady, or even improves, while the true lag grows. An organization can file within 72 hours of awareness and disclose an event that began 8 months earlier. The statute records a fast, compliant notification. The affected parties learn of an exposure that has been operating against them for most of a year. The assumption that notification follows consequence closely enough to matter no longer holds. Consequence now runs for months before the system built to report it registers that there is anything to report.
Nothing in this sequence is a bypass. The disclosure system executed the behaviour it was built to execute. When a controller records awareness under Article 33, the 72-hour clock begins and the filing arrives inside it. When a registrant determines materiality under Item 1.05, the 4-business-day count begins and the 8-K follows. When a covered entity dates its discovery under the HIPAA Breach Notification Rule, the 60-day window opens and the letters go out. Every observable output is a compliant notification produced on schedule. The mechanism did not fail. It ran.
What ran was execution against a reference rather than validation of a fact. The reference is the internal timestamp: the recorded moment of awareness, determination, discovery. The regime treats that timestamp as the origin of the event and executes the entire notification obligation against it, and at no point does it re-derive that moment from the external moment of intrusion. Identity of the source replaced integrity of the content. The organization is the source of the trigger, and its declaration of when it knew is accepted as the content of when the breach began to matter. The statute reads the label and never opens the box.
Because the reference is self-produced, the only thing the system can observe is its own record. From the outside, a filing 3 days after awareness of an intrusion that ran for 8 months and a filing 3 days after awareness of an intrusion that ran for 3 days are indistinguishable. Both present the same reference, the same measured interval, the same compliant artifact. The regime has no observable difference to act on, because the quantity that separates them, the dwell interval between compromise and discovery, was never part of the record it executes against. The proxy is the whole of what it can see, and the proxy reports success in both cases. Consequence and no consequence produce the same clean filing.
This is execution based on reference, not verification. A system is handed a token that stands for a fact, and it acts on the token as though it had acted on the fact, without re-establishing the link between them. The token can be a timestamp, a version string, a signature, a status flag, a declared moment of awareness. Once accepted, it is not re-derived. The system resolves the reference a single time and carries the result forward, and when the underlying reality moves after resolution, the system does not move with it. The reference is durable. What it points to is not.
The same mechanism runs in X.509 certificate validation. A relying party trusts a certificate because the chain verifies and the current time falls between the notBefore and notAfter fields. Those fields are references: assertions about a validity window fixed at the moment of signing. The relying party executes trust against the reference, not against the present integrity of the private key. If that key is copied on day 2 of a 397-day validity window, the certificate keeps validating for the remainder of it. The arithmetic is still correct. The signature still checks. The system produces exactly the trust it was designed to produce, against a reference that no longer corresponds to the state of the world.
Revocation exists as the acknowledgment of this exact gap. CRL and OCSP were added precisely because a validity window cannot represent a key that has been compromised inside it. And they inherit the failure they were meant to correct. Revocation only begins after someone declares the compromise, an internal act of recognition that arrives late, propagates slowly, and is frequently never checked by the relying party at all. It keys off a self-declared moment of awareness and measures the interval after recognition while leaving the interval before it unmeasured. The correction and the disclosure clock are the same shape. Both trust an organization’s account of when it noticed, and both are silent about everything that occurred while it did not.
A breach clock resolves the moment of a compromise exactly once, at the instant an organization concedes it noticed. It does not revalidate that moment against the event that caused it. The control exists. The outcome does not.
See also: NordVPN for tunneled traffic when operating outside controlled networks.
#ad Contains an affiliate link.
Keep Reading
systems driftThe machine quoted an EFF staffer who never existed
A news system generated quotes from EFF staff who never existed because it resolves references without confirming that what they point to is real.
systems failure analysisFast enough to lie
Package managers hang for minutes because they execute on a returned value, never measuring the network latency their design assumed would stay constant.
systems driftTrust does not carry forward
GPT55 hallucinated three times more than GLM52 on identical prompts. The cause is systemic: systems resolve references without revalidating their content.
Stay in the loop
New writing delivered when it's ready. No schedule, no spam.