Legal Departments’ ‘Risk Calculus’: Should Breach Response Be Slow and Steady?