New Zealand's privacy watchdog is concerned it took two years for internet giant Yahoo to tell its customers about an enormous hack it suffered in 2014.
Yahoo has revealed 500 million of its email users had their accounts hacked.
New Zealand internet provider Spark has run its email system - Xtra Mail - through Yahoo's servers for nine years. Around 130,000 customers are "potentially at risk", the company said on Monday.
Privacy Commissioner John Edwards says there's no law forcing companies in New Zealand to tell their customers they've been hacked.
"We're lucky in this case we get the benefit from laws in other countries, because Yahoo is subject to jurisdictions which do have mandatory breach notification," he told Paul Henry on Tuesday.
"The nature of international media at the moment means we would find out pretty quickly."
There are changes planned for the Privacy Act which would make it compulsory, but they're not going to be in place anytime soon.
"I would hope we would at least have a law in place to coincide with the European data protection regulation, which comes into force in 2018. It's a slow process, [the] making of laws."
Spark is dumping Yahoo, and from next year will use New Zealand-based company SMX for its email service.
In the meantime, Spark customers - and everyone else - should be practising "online hygiene".
This includes regularly changing passwords, not using the same passwords for different accounts, and adopting two-factor authentication where possible.
"A login and password is going to be seen as the horse and cart of the internet age before too long," says Mr Edwards.
Many browsers nowadays offer services which create randomised, hard-to-crack passwords which the user doesn't need to remember.
Democratic Senator Mark Warner has asked the US Securities and Exchange Commission to investigate whether Yahoo and its senior executives fulfilled obligations to inform investors and the public about the attack.
"Disclosure is the foundation of federal securities laws, and public companies are required to disclose material events that shareholders should know about," Mr Warner said in a letter to SEC Chairwoman Mary Jo White.
Warner also asked the SEC to probe whether Yahoo has "made complete and accurate representations" about the security of its information technology systems.