[BreachExchange] A new ethics?: Moral compass

[Audrey McNeil]

http://www.scmagazine.com/a-new-ethics-moral-compass/article/522674/

Hammered by mega-breaches and constantly probed by would-be attackers,
enterprises, government entities and other organizations are asking whether
an ethical approach to cybersecurity requires sharing more information than
the law requires.

Many experts see ethical issues playing an increasingly important role as
information security lapses not only spur greater consumer protection laws
and increased regulation, but also put preeminent corporate brands at risk.

It's the reputational hit from a data breach that's the key driver of
information security ethics, says Eric Burger, a research professor of
computer science at Georgetown University.

“Corporations act ethically because they have to,” says Burger, a veteran
IT entrepreneur. “If they say they are, it is because they want to be in an
ethical funds portfolio.” The average corporation is not founded on the
basis of protecting data, he says. By contrast, the NGO where he serves as
a board member has a commitment to ethics beyond the industry standard.

According to attorney Gary Kibel, the ethics of breach disclosure and
threat intelligence sharing has to be seen in light of three basic
categories: state and federal disclosure laws, regulatory requirements and
contractual obligations to business partners that may require or prevent
disclosure.

“If no one is forcing you, or you have no obligation [to report a breach],
you need to decide whether you want to do it yourself,” says Kibel, partner
in the digital media, technology and privacy practice at the Davis &
Gilbert law firm in New York.

“We will talk to clients about what makes sense for their business,” Kibel
says. “But ultimately they have to decide whether they are going to
disclose even if they are not required or prohibited from doing so.”

Those ethical questions are inevitably entangled with divergent and often
conflicting breach disclosure laws across 47 states in the U.S., says
Thomas Smedinghoff, a Chicago-based attorney with Locke Lord.

“In some states, you are required to disclose certain things about the
breach,” he says. “But in Massachusetts, the law says you are prohibited
from disclosing them. If you were just being ethical, you could violate the
law.”

Federal legislation governing data breaches present further challenges to
the efforts of information security ethicists to balance collaboration with
law enforcement with transparency to business partners and the public. The
proposed Data Security and Breach Notification Act of 2015, for example,
would mandate breach disclosure to consumers within 30 days “unless United
States Secret Service or the Federal Bureau of Investigation determines
that notification under this section would impede a criminal investigation
or a national security activity.”

In this scenario, a company's efforts to do the right thing by consumers
could be sidelined for weeks, months or even longer if national security
agencies conclude that tracking corporate espionage or cyberattacks on
critical infrastructure are more important than protecting the credit
profile of millions of people.

That could present a problem to businesses that have positioned themselves
as being vigilant about consumer data. “From a corporate social
responsibility and a public relations perspective, doing the right thing –
and being perceived that way – can have a lot of advantages,” says
Smedinghoff. Nevertheless, a rush to notify can make remediation more
difficult, he adds. “You want to do the right thing, but want to make sure
what you're dealing with before you do that.”

Ben Knieff, a New York-based senior analyst at the Aite Group, makes a
similar point. “Transparency is something we value in society but sometimes
it is appropriate not to talk about something for at least a limited period
of time,” he says. “Going public can substantially harm an ongoing
investigation.”

That dilemma is more acute when it comes to disclosing cyberthreats through
the sharing of intelligence, says Burger. “There is a huge financial
disincentive for sharing,” he says, pointing to the Information Sharing and
Analysis Centers (ISACs), established in the critical infrastructure
industry and since broadened to financial services and other sectors. If
you are a nuclear power plant operator found to be lacking in preparation
for a threat that other industry players have found, “you will be fined,”
he says.

The government-initiated supplement to ISACs, the Information Sharing and
Analysis Organizations (ISAOs), are given a pass on antitrust enforcement
under theCybersecurity Information Sharing Act of 2015 (CISA). But the
ethics of public disclosure of potential threats are less clear cut. If a
power generation company shares information about a potential cyberattack
on the grid, what happens if one of the recipients of that information
discloses it publicly, leading to a stock market selloff of the effected
companies or panic over the possible blackout?

“There are huge ethical issues,” around threat information sharing, says
Larry Ponemon (left), chairman of the Ponemon Institute, the Michigan-based
research organization. “Sometimes what is shared is junk, it's trying to
put a competitor out of business. This does require some ethics.”

The need for quality threat intelligence sharing is growing. According to a
2015 Ponemon Institute study, 47 percent of respondents reported a security
breach that compromised networks or enterprise systems. Some 65 percent of
respondents stated that threat intelligence could have prevented, or at
least mitigated, those attacks.

It boils down to a simple question, says Burger: Does a corporation have to
do something other than what government and regulators tell them they have
to do?

The evolution of automobile safety may provide a guide for what is to come
in the ethics of cybersecurity, Burger says. “In 1930, we didn't know how
to build safe cars. In 1950, we had a better idea. In 1960, we knew how to
make safe cars, but didn't want to.”

Ultimately, Burger says, it was Ralph Nader's consumer advocacy that
ultimately forced automakers to transform vehicle safety.

For now, however, the patchwork of laws in the U.S. has complicated
cybersecurity ethics. Then there's the European Union's General Data
Protection Regulation, revised in 2016 to include a 72-hour notice to
authority. But post-Brexit, in non-E.U. Britain, the less stringent Data
Protection Act may become the governing law on the question, unless access
to the E.U.'s single market requires conformance. The UK's independent
commission on data privacy isn't clear on the issue.

Could an ethical approach help businesses find a way out of this global
legal thicket? PwC consultant Stewart Room argued in 2014 that ethical
considerations were a better guide to post-breach action than simply
checking the boxes on legal obligations. Ethics, he wrote, “remind you of
the bigger picture, helping you to do the right thing in a way that can
withstand durable scrutiny.” Room concludes: “Ethics and breach handling go
hand in hand.”

If consumer-facing companies may benefit from establishing an ethics of
post-breach actions, the ethics of threat intelligence sharing are
decidedly more complicated, says Ponemon. “Retail banks are spending about
$250 million on cybersecurity tools – more like half a billion,” he says.
“They don't want to spend that money and allow others to benefit. There is
an idea that threat intelligence sharing is necessarily equitable.”

On the consumer side, a series of megabreaches have pushed the ethics issue
into the foreground, with those affected forced to consider whether they
should continue to trust their personal data and credit information to
hacker-hit retailers like Target or health insurance providers such as
Anthem. At the same time, a potential shift in breach liability away from
credit card issuers – witness Target's $39 million settlement with bank
credit processors in 2015 – puts pressure on retailers to go above and
beyond the law in both the protection of data and disclosure of threats and
compromises.

Meanwhile, government agencies charged with protecting consumers are
raising the bar, with both the venerable Federal Trade Commission and the
new Consumer Finance Protection Bureau pushing companies to become better
stewards of private data or face fines and enforcement action.

But, even the best ethical practices around cybersecurity and breach
disclosure aren't enough to meet all those requirements, according to
Smedinghoff. “Being ethnical does not necessarily mean you are compliant,”
he says. “You may be ethically appropriate – but that may not be sufficient
to satisfy the law.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161003/4bc3562b/attachment.html>