You'd be requiring companies to speculate on the outer bounds of something that is simply not knowable.
Sucks to be them, but then they have a very strong incentive to quickly begin investigation and triage so that they can quickly identify who is actually at risk.
It is ridiculous to sacrifice the victims by keeping them ignorant of the risks they are facing so that the company can save face. They should not be allowed to blindly speculate that everything is perfectly fine which is simply not knowable without a investigation.
What's the burden of proof to confirm that the first sentence in your quote is correct? (Can I just claim to have breached some company and have the law compel them to issue that quote?)
You're frustrated that companies are issuing information-free notices today; your proposal appears to make them issue information-free notices tomorrow.
Your complaint that the situation will just turn into everybody acknowledging that they are hopelessly insecure is a far better situation than now where everybody lies by claiming that they are secure. It results in the acknowledgement of breaches and the acceptance of liability that would be helpful for future legislation that can actually apply penaltys for delivering products that are defective with respect to security.
I don't think anyone would have to claim to have breached the company in question.
Just the act of asking the question would compel any company to have to respond "Yes, we have been breached."
so as a user, just assume this at all times, then. just assume that all of your accounts are hacked or will be in 10 minutes and don't put anything in them that you would not be ok with others knowing. I don't see the difference between just assuming they're all compromised and waiting for a company to tell you that your account may be compromised and that they'll tell you more in 2 years once the investigation is fully completed and everything is known.
