“In my personal opinion, within 72 hours, you’re obligated to tell them, ethically speaking,” said Chester Wisniewski, principal research scientist for Sophos, a global cyber-security company that monitors ransomware threats. “It’s not a law or a rule,” he said, “[but] waiting months is very bad. It’s just more time you’re not being able to fight against your data being abused.”