Fuzzy math: The need for a national cyber breach notification standard

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazine.com/fuzzy-math-the-need-for-a-national-cyber-breach-notification-standard/article/331478/

It is a well-known fact that cyber attacks pose a significant risk to
businesses. Most recently, we have seen how the cyber attack on Target
resulted in lower sales, higher costs, and a loss of customer trust. In
addition, business partners, such as the card issuers and payment
processors are also impacted financially by this breach. According to
Lloyd's Risk Index Report for 2013, only high taxation and loss of
customers ranked higher than cyber security as top concerns faced by global
businesses. The key difference between these top two risks and cyber risk
is the availability of information.

While forecasting tax rates and revenue is not easy, there is publically
available information that can be used to build predictive models, such as
GDP forecasts, commodity prices, and proposed new government regulation. In
contrast, very little information is available to risk managers, insurers
and regulators to understand and manage cyber risk. In particular, security
incident and data breach information are woefully lacking. With minimal
insight into who has been attacked and the impact of the attack, it is
difficult for business, consumers and policymakers to understand and manage
cyber risk.

Forty-eight U.S. states have breach notification laws for incidents
involving the loss of consumer data. None have notification requirements
for the breach of non Personally Identifiable Information (PII), such as
the loss of corporate intellectual property. The threshold, reporting
requirements and breach definition varies significantly state by state.
Massachusetts requires any data breach impacting a resident be reported to
the state Attorney General. California requires that only breaches
affecting more than 500 residents be reported to the state Attorney
General. The result is that the California Attorney General reported only
131 breaches in 2012 while the Massachusetts Attorney General reported
1,118 during the same year. Assuming roughly similar business practices
from state to state, it does not make sense that California, a state with
more than five times the number of businesses than Massachusetts, would
report only 12 percent the number of breaches as Massachusetts.

In addition to state disclosures, there are a number of other organizations
that gather information on data breaches and security incidents. For
example, Verizon's 2013 Data Breach Investigations Report (DBIR)gathered
data from contributors in 27 countries and found more than 47,000 security
incidents and 621 cases of confirmed data disclosure in 2012. According to
DataLossDB, there were 1,622 data breach incidents globally in 2012.
Finally, Identity Theft Resource Center documented 470 data breaches in the
U.S. 2012.

Collectively, the numbers do not add up. Each of these organizations
provides great analysis and insight based on their unique vantage point.
While all may be accurate from their vantage point, they do not provide,
individually or collectively, ground truth into the number of security
incidents and data breaches. Although some progress has been made in the
availability of data, we are far away from having the transparency required
for risk management.

How do we resolve these discrepancies and find clarity in this fuzzy math?
These data points illustrate the need for comprehensive and consistent
standards around the notification of security incidents and data breaches.
Various initiatives, including the Data Security and Breach Notification
Act of 2013, are helping to increase awareness of this need, but have not
made sufficient progress. Without comprehensive and consistent standards,
the trend we see today where companies share the least amount of
information legally required will continue. A study by McAfee and the SAIC
reported that only 30 percent of organizations disclose all of their breach
incidents. To create a culture of transparency, we need to raise the bar
for disclosure and incentivize the right behavior through clear and
comprehensive national standards.

To be successful, such a national standard must include clear definitions
of breach and security incident, require disclosure of all incidents that
impact PII, confidential business information and compromised systems.
Notification triggers, time to notify and method of notification would also
be addressed in these standards, making the data consistent across
geographical lines and providing us with information we can both understand
and use to build meaningful and robust risk models.

These models will enable consumers, risk managers, policy makers, cyber
insurers and consumers to make more educated decisions on how to manage
cyber risk. As cyber risk is priced into purchasing and partnership
decisions, organizations will be incentivized to improve their security and
become better at notifying the relevant parties of an incident or breach.
Transparency and accountability will breed improved security, which will
benefit all.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!