Technical problems aside, companies that become aware of a data breach are faced with a spectrum of difficult choices, typically boiling down to three questions: What information should be conveyed, to whom, and when? A post in a Sheppard Mullin privacy blog looks at one case where a major company apparently did it right. PayPal, after discovering there had been a breach at a recently acquired business, said it was investigating but wasn’t aware of any customer personal information being at risk. Weeks later the company announced that personal information of 1.6 million customers may have been compromised. The stock price dropped, and plaintiffs who had bought stock between the two announcements mounted a class action. The district court dismissed the case for want of a key element, and its ruling was upheld by the Ninth Circuit.