BreachExchange mailing list archives

Disclosing data breaches: There oughta be a law


From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 14 Mar 2014 13:22:45 -0600

http://www.cbsnews.com/news/disclosing-data-breaches-there-oughta-be-a-law/

Back in September 2011, an unusual purchase was made at a Santa Cruz,
Calif., thrift store.

An unidentified "member of the public" bought an external hard drive that
contained more than 30,000 Social Security numbers belonging to Kaiser
Foundation Health Plan employees and former workers, a January lawsuit
filed by the California Attorney General's office claims.

While that was bad enough, what came next compounded the problem, the
complaint alleges. While Kaiser managed to reclaim the hard drive in
December and performed a forensic investigation, the company waited three
months to alert the victims, the lawsuit claims.

In its lawsuit, California alleges Kaiser violated a state law that
requires companies to disclose security breaches "in the most expedient
time possible and without unreasonable delay."

While Kaiser reached a settlement last month, the case highlights a bigger
issue about data breach disclosures: they're covered by a patchwork set of
laws that vary from state to state. Given that some of those laws include
vague guidelines, such as California's "most expedient time" wording,
companies have leeway in when to alert customers. Consumers, on the other
hand, can feel gobsmacked when they learn a company waited to flag them
about a theft of their personal data.

So, what exactly does California's law mean?

"Many of the states without a specific time frame came to regard 45 days as
what is reasonable and expected," notes Margo Tank, a partner at
BuckleySandler LLP.

But 45 days might not be so "reasonable," given that data breaches are
sometimes reported in the press, Tank adds.

Take Target's recent data breach, which affected as many as 110 million
consumers. Some shoppers were angered by the timeline of the breach's
disclosure, given that security blogger Brian Krebs broke the news about
the crimebefore the retailer alerted its customers.

But companies sometimes want to hold off on disclosing a breach until
they've worked with law enforcement and have clear information to provide
to customers.

"If I disclose too early, I may give out the wrong information," notes John
Pironti, risk advisor with the nonprofit information systems group ISACA.
"There's an expectation of total disclosure, but often you don't know all
the facts. What you first put out there will be the first thing everyone
remembers."

In Target's case, the company had a four-day gap between when it confirmed
the breach and when it alerted customers.

"As soon as we confirmed the breach on December 15, we immediately alerted
the relevant financial institutions and began working with the appropriate
law enforcement to ensure we were complying with all state and federal
requirements," a Target spokeswoman emailed CBS MoneyWatch. "We then moved
swiftly to inform our guests, educate them and help them understand steps
they could take on December 19."

The grab-bag of state disclosure laws is prompting a call for a national
standard. U.S. Attorney General Eric Holder last month urged Congress to
create a countrywide standard. Currently, 46 states have laws about breach
notification. Alabama, Kentucky, New Mexico and South Dakota lack
guidelines on disclosure.

It's not a small problem, considering that more than 600 million personal
records have been stolen in 3,818 breaches since 2005, according to
Bloomberg Law. As ISACA's Pironti notes, criminals are becoming
increasingly sophisticated about attacking corporate information systems.
That means data breaches aren't likely to stop anytime soon, and the
victims may be the last ones to find out about them.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!

Current thread: