What is an employer's obligation to inform employees of a hack?

Question

My former employer was compromised by the Royal Ransomware hack. According to the information posted on the Royal Ransomware site, they've exfiltrated sensitive data including employee personnel records and other confidential information. What legal obligation does an employer have to notify former employees of this type of breach?

bell-cot · Accepted Answer

IANAL, but...- "Royal Ransomware's web site is bragging that they stole employee data from XYZ Corp." might trigger some legal obligation for XYZ Corp...but my bet would be "nope, sorry, there has to be real evidence that that's true".- If there is decent evidence that RR actually did steal your data (from XYZ Corp), then "What legal obligation...?" depends upon the jurisdiction.- Whatever the "what obligations?" answer might be, it's a completely separate question to as "what are the consequences, from my PoV, if they failed to do as they were obligated to?". And again dependent on jurisdiction.

orbz · Answer

To get the best answer you should mention what jurisdiction you and your company are in.