Getting Breach Notification Right

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://techcrunch.com/2015/03/03/getting-breach-notification-right/#yFZP25:5lpb

President Barack Obama proposed in January the first federal standard for
data breaches, requiring that companies notify customers of privacy-related
breaches within 30 days of discovery. Other standards and regulations exist
(47 states at last count had some form of regulation regarding breach
disclosure), but there is currently no federal standard to act as a
baseline.

This isn’t a new proposal, however, as the debate on the Hill has been
ongoing for nearly three years. In the run-up to the State of the Union,
all things “cyber” seemed to leap to the top of the agenda in the wake of
the high-profile attacks and breaches in late 2014. It should come as no
surprise that talk of cyber security, online privacy and a focus on
governance for good electronic corporate citizenship became part of the
national dialogue.

These are subjects that matter, and the degree to which it could impact us
all — corporations and citizens alike — is growing. A quick survey of the
blogosphere shows that security people in general tend to back this, but
the merits or strengths of a particular measure shouldn’t be confused with
the processes of legislation. Security folks should be careful not to be
cited out of context as the legislative machine starts up.

Regulations are always sensitive and polarizing in the corporate world. No
one wants more cost and complexity for having to follow yet another
regulation. Breach notification will require new processes and oversight,
new understandings of risk and new processes and personnel. But the
critical point here is that this is needed anyway, with or without a
federal regulation. If the government doesn’t demand better disclosure
policies for breaches, consumers will soon enough.

To be clear: the right behavior is to disclose, every time.

Requiring breach notification establishes a level playing field that makes
it clear to companies: if you have a breach, get ready to talk about it. It
also will help reduce the bayonetting of the wounded when breaches occur.
Breaches are inevitable, but data theft is not. There is much that can be
done after an attacker gets inside a network to prevent them from leaving
with valuable information.

Today, the majority of network security spend is focused on the early
stages of an attack, and the late stages of an attack. The early stage is
trying to prevent them from getting into the network in the first place,
protecting their perimeter with things like web application firewalls,
next-gen firewalls, intrusion prevention systems, anti-viruses and more.
The late stage of an attack would be once you know an attacker has gotten
in, trying to aggregate all those alerts, piecing together how they got in,
what they did inside, and information they left with.

What’s missing is a solid understanding of the middle, what happens after a
threat gets in, but before they get out. It’s time to pay attention to
security and make sure that prevention, containment and post-event ethical
process and management are top priorities at the C-level and with corporate
boards. I would go so far as to say that one of the first principles of any
regulation should be to make clear that it is not only arrogant but also
unethical to determine risk for someone else and to deprive them of the
opportunity to make their own risk decisions, no matter how obvious a
corporate board room might think the choices are for victims.

A breach notification law, taken in isolation of other digital and
communications requirements, sets the right tone for what to do and what
not to do.

In many situations, the conversation isn’t about the right thing to do for
the victims (i.e. the end users or businesses whose data is lost) but is
instead about the right thing to do for the breached company (e.g. how to
avoid legal exposure, bad press, and other risks to the bottom line). That
approach has to end.

It’s also important to establish that the specific moment a breach occurs
isn’t always simple to understand. There’s a popular perspective that it’s
easy to know if and when a breach has occurred, but this isn’t like looking
in a bank vault and seeing that the money is missing. It isn’t always
clear, and it often requires forensic work and proving negatives.

That makes it important to also stress that investigations have to happen
promptly, that documented and effective policies exist on calling an
incident, and that investigators and executives don’t drag their heels to
avoid having to call the time of breach. Once that’s done, setting the time
frame to 30 days gives enough time to be sure a breach really has occurred
and determine who the victims are and leaves no wiggle room for delaying
the need to notify victims in a timely manner.

A well-written breach-notification law will make it clear that the risk
decisions to be made at the top of an affected company are not just about
the risk to those that have the privilege of holding data. The time to
worry about a breached company’s risk is beforehand in building a
cyber-security program and contingencies. Once an incident happens, the
needs of the victims become the biggest priority.

Believe it or not, post-breach notification and best practices can be a
competitive differentiator. It is inevitable that consumers will begin to
pay more attention to their personal privacy and data security, and judge
businesses, in part, by their post-breach disclosure behavior. In short,
having to disclose is not the end of the world for businesses, and can
become something of a check in their favor when done correctly.

A rule like this will make it quite clear that non-disclosure isn’t an
option. It will enable us all to focus on making sure that inevitable
infrastructure breaches don’t mean data breaches or, when they do, that
they are containable. We can also focus in the right areas to improve best
practices, work on prevention, invest in new technologies and plan to
minimize damage from attacks and frustrate the attackers who commit them.

Most compelling of all, it will enable an approach that always puts the
real victims in the center and guides the right behaviors from the outset.
Having data isn’t a right for corporations; it’s a privilege and one that
must always be treated as such, before, during and after breaches.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!