http://www.radisson.com/openletter/openletter-faq.html

What happened?  When did it happen?
Between November 2008 and May 2009, the computer systems of some
Radisson® hotels in the U.S. and Canada were accessed without
authorization.  This unauthorized access was in violation of both
civil and criminal laws.  Radisson has been coordinating with federal
law enforcement to assist in their investigation of this incident.

Why didn't you notify me sooner?
Working closely with law enforcement and forensic investigators, it
has taken some time to analyze the origins and extent of the
unauthorized access.

Why not notify people immediately when the breach is discovered? The
"origins and extent" of the breach don't materially affect any of the
individuals whose personal information may have been compromised. The
important thing here is that the information was compromised. Are  
these affected people really going to take different measures based on where
their information went?

The text of the letter makes it seem like the breach was discovered in
May 2009. It is now August, giving the bad guys at least two full  
months to work with the information they acquired.

Surely the responsible approach is notify everybody immediately and  
work out exactly what happened later? Better to notify too many people
quickly than notify exactly the affected people after their personal
information has already been put to nefarious purposes.

-Gordon

URL: http://www.cnbc.com/id/32446935/
---//--


Have you stayed at a Radisson since last November?
 a little-known but fairly large loophole in many data breach
notification laws.

Most notification laws have a (mostly sensible) exception that
notification isn't required, or in some cases even permitted, if
notification would impede an active law enforcement investigation.
You don't want to tip off an active intruder if there's a good chance
the cops are working to catch him.

Realizing that data breach notification laws were passing in almost
every state, lobbyists for those opposed to such laws seized on this
provision to water down the bills.  As a result many notification laws
now allow _the breached company_ to decide whether notification would
interfere with an investigation.  In other cases, a company could
indefinitely avoid notification even after an investigation is
completed, on the grounds of the initial (but completed)
investigation.  Some states even granted a related exception to
notification if the company determined after an investigation that a
breach wasn't "material" (in the company's opinion).

A few states are moving to tighten some of these loopholes.  For
example, Maine just amended its law to require notice within 7 days
after law enforcement officials give the all clear.

see   privacylaw.proskauer.com/2009/05/articles/security-breach- notification-l/seven-days-is-all-she-wrote-/

Ethan