[BreachExchange] Hacked Firms Face ‘Frankenstein’ of State-Based Cyber Notification Laws

Fri Mar 12 10:50:39 EST 2021

https://www.insurancejournal.com/news/national/2021/03/11/604706.htm

Last summer, Katherine “Kitty” Green received some disturbing news
about the computer network at Florida Gulf Coast University, where she
oversees a foundation for private donors. An outside data provider
warned it had detected that hackers sneaked into the university’s
systems and might have made off with sensitive personal information of
its benefactors.

Six months later, FGCU sent out notices to 5,498 financial supporters,
offering free credit-monitoring and a hot line to call for more
information. One reason it took so long is that, after consulting with
technical and legal experts, the university concluded that under local
laws, it would have to file different notifications in 16 different
states.

“Every state has different questions, which makes it much more
complicated to know what to do,” Green said. “It was definitely more
time consuming than we’d imagined.”

With more businesses, governments and organizations succumbing to
cyber-attacks, the lack of a clear and effective reporting standard
for threats and breaches has taken on new urgency. Over the weekend,
another massive hack of businesses came to light, this time of
Microsoft Corp.’s widely used email software and affecting at least
60,000 known victims globally, according to a former senior U.S.
official with knowledge of the matter.

That announcement comes hard on the heels of the SolarWinds hack, so
called because suspected Russian hackers targeted popular software
from Texas-based SolarWinds Corp. As many as 18,000 of its customers
received infected updates, though far fewer were targeted with
secondary attacks — about 100 private-sector companies and nine U.S.
agencies, according to the White House.

Notification Headache

Amid all these attacks, notifying the public has itself become a major
headache. That’s because, as data breaches have proliferated, so too
has the patchwork of notification requirements.

On the federal level, there are special rules for personal health
records and a Securities and Exchange Commission directive that public
companies inform investors of “material” breaches.

Separately, each of the 50 states has its own breach notification
requirements, as does the District of Columbia, Puerto Rico and Guam.

In Indiana for instance, at least three dozen organizations have filed
data breach notices so far this year to alert a single resident in the
state, records from the attorney general’s office indicate. (FGCU
filed a notice in Indiana because 34 of its donors live there, the
records show.) A number of other states likewise require notification
regardless of how many residents were affected.

Organizations reeling from cyber-attacks must navigate a reporting
maze that “makes the victims’ lives a lot harder,” said Jordan Rae
Kelly, a veteran of the National Security Council and the FBI who
heads FTI Consulting’s cybersecurity practice in the Americas. “It
puts them in a situation where they’re facing disparate rules. I think
the federal government should step in with guidelines about data
breach disclosures.”

Creating a unified standard for when the private sector must warn of
illicit cyber activity has been proposed before but fell short in the
face of resistance from some Republicans and business groups, who
described it as costly and burdensome and undercutting public-private
collaboration. In 2015, the Obama administration proposed “simplifying
and standardizing the existing patchwork” of what at the time were 46
separate state laws by instituting a “single clear and timely notice
requirement.”

Mandatory Standards

The Cybersecurity Information Sharing Act of 2015, passed later that
year, didn’t go that far. Instead, it provided legal protection to
organizations that shared information about cyber threats voluntarily.

“I don’t think our traditional reporting mechanisms necessarily work,”
said Senator Mark Warner, chairman of the Senate Select Committee on
Intelligence, at a hearing last month where the prospect of drafting
new notification standards was discussed. Brad Smith, president of
Microsoft, and Kevin Mandia, chief executive officer of FireEye Inc.,
the cybersecurity firm that discovered the SolarWinds breach, each
spoke in favor of mandatory standards for sharing suspicious network
activity long before it results in public notifications.

As things now stand, organizations hit by data breaches are often
required to disclose them only after determining that consumer data is
at risk. That can occur months after a threat is first detected and
the value of issuing warnings has diminished. The complexity of state
and federal notice requirements only adds to the lags.

It would have been easier to create a unified disclosure regime before
all the states jumped in, but the problem is now urgent enough that
policy makers may finally act, said Luke Dembosky, a former deputy
assistant attorney general for national security, who now heads
Debevoise & Plimpton’s data security practice.

“In the U.S., we have the Frankenstein notification regime that raises
costs and inefficiencies,” he said.