Commenting only on the speed of response (or the glacial interpretation of it in Panera's case):
For companies operating in European Union, the General Data Protection Regulation (GDPR) (1) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (2).
I believe UnderArmor's case is the norm we can expect going forward.
For companies operating in European Union, the General Data Protection Regulation (GDPR) (1) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (2).
I believe UnderArmor's case is the norm we can expect going forward.
(1)https://en.wikipedia.org/wiki/General_Data_Protection_Regula... (2) http://www.bbc.com/news/technology-43592470