Data Breaches And Notifications: A Contrarian View? Or More Of The Same?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.alertboot.com/blog/blogs/endpoint_security/archive/2014/08/05/data-breaches-and-notifications-a-contrarian-view-or-more-of-the-same.aspx

The Wall Street Journal has an article on how certain executives are
questioning the value of notifying the general public on company data
breaches.  The pay-walled article notes that there are valid reasons
against more transparency.

The thing is, most of these so-called reasons are self-serving – which is
why 47 states have laws requiring breach notification.  Plus, the article
lays out certain practices that makes one wonder whether they understand
how the law works.

Can't Sue If They Don't Know, Might Tip Off Criminals

Some of the reasons given against more transparency are semi-comical.  One
executive said that "'there is this crazy hysteria," about cyberattacks"
which I'm going to assume is meant for data breaches in general and not
just cyberattacks (aka, attacking online servers).  It is also pointed out
that "not every corporate document is a valuable trade secret; credit-card
numbers may....never [be] used."

Regarding the hysteria: just because it feels crazy doesn't mean it's not
real.  Identity theft is usually the end product of a data breach and,
according to a 2013 Bureau of Justice Statistics report, 16.6 million
people experienced identity theft in 2012, with financial losses totaling
$24.7 billion.  Put in this light, it's crazy that more isn't done to
curtail data breaches.

But, wait, contrarians might say.  Not all data breaches do result in
sensitive information being stolen.  Also, as already pointed out above,
just because it's stolen, it doesn't mean it will be used.  The first
charge is a moot point.  Data breach laws do not require that all data
breaches be reported.  By and large, the laws require notification if
sensitive personal data is lost or stolen.

As to the second observation, the premise is so infantile that I would have
to retort with a childish "so what?"  How would a company that has
experienced a personal information data breach know whether the stolen
information will be used or not?  They can't.  That's the point; that's why
the public at large is notified of it.  So they can check their bank
statements or whatever it is they have to do.

Plus, the logic itself doesn't make any sense.  Let's use the same exact
parallels to argue about guns, shall we?  Hey, someone stole my gun, but we
all know that most guns are not used in crimes.  Thus, chances are that the
gun will not be used in a crime.  Hence, the theft doesn't really represent
a threat – after all, it could be hanging on someone's wall, being admired
by the thief.  No need to let anyone know that the gun was stolen; chances
are nothing will come out of it.

Does this sound reasonable to you?

My jaw also hit the floor when I read this particular line:  "If you never
disclose the breach at all, then you don't have class-action suits," said
one particular lawyer.

*Sigh*.  While I don't doubt that there are many organizations actively
hiding data breaches for this exact reason, it sounds quite wrong for it to
come out of the mouth of a lawyer from a respected firm.  My hope is that
he has either been misquoted or quoted out of context.  If I may offer this
observation, to show how wrong the statement happens to be: if you kill a
man, give him cement shoes, dump him in the Hudson, and never disclose it
at all, then you don't get arrested.

Verbal Legal Wrangling

There was also another aspect that left me scratching my head and wondering
whether people knew what they were doing (my emphases):

"In hacker simulations, the company has mapped out one response for a data
breach it discovers on its own and another if it's alerted by law
enforcement or a journalist. But "we actually don't use the term breach,"
because that could trigger disclosure laws, Ms. Hutchinson said.

[...]

"She said she might recommend telling consumers about a hacking incident,
but only after extensive analysis. Announcing "anything earlier than three
months, in my opinion, would be too quick," Ms. Hutchinson said."

I guess it depends on which laws Ms. Hutchinson is referring to, but the
laws that I know (state laws) have very specific definitions of what a data
breach constitutes – meaning how you decide to classify something has very
little bearing.  You can't claim something is not a data breach just
because you've decided to call it a "coconut chocolate bar" and refer to it
as such in your internal memos.

Of course, we can all appreciate that the breached companies are victims,
too.  But I think the public's cynicism and lawsuit-happy trigger-fingers
are most probably a result of such attitudes like the above.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!