[BreachExchange] Should the U.S. Require Companies to Report Breaches?

[Audrey McNeil]

http://www.foxbusiness.com/features/2017/09/24/should-u-
s-require-companies-to-report-breaches.html

There are two things we can count on in the wake of the Equifax breach,
already credited with exposing a majority of American adults to the
possibility of identity theft. The first is that more and potentially worse
breaches are in our future. The second is that companies will need to be
prodded toward smarter cybersecurity practices and faster reporting of
breaches.

Details of the breach -- which Equifax said it discovered in late July --
have only recently been revealed by the credit-reporting company and by
Mandiant, the cyber forensics firm it hired. However, the enormous loss of
data appears to have been the result of an unpatched vulnerability, which
allowed hackers to roam freely inside Equifax's computer network for more
than four months. (In a report, Equifax said it "took efforts" to fix the
compromised system.)

The Federal Trade Commission and the Federal Bureau of Investigation are
investigating, and the first of what's expected to be a wave of lawsuits by
state attorneys general has already been filed. But punishing Equifax isn't
the same as minimizing the impact of similar disasters. For that, we're
going to need something anathema to the tech industry and especially
companies that have been hacked: transparency.

It isn't coming voluntarily. There's already a patchwork of data-breach
disclosure laws passed by 48 different states, yet none have been strong
enough to get companies -- wary of increased costs and hits to their
reputations -- in line. Newly proposed federal regulations could be, if
they can get bipartisan support.

"Equifax has had a very poor response and I'm disappointed in them," says
Rep. Jim Langevin (D-R.I.), one of the members of Congress behind the new
regulatory push. "As good corporate citizens I believe Equifax owes much
more transparency to consumers."

Equifax didn't respond to requests for comment.

Many firms share information with each other through cybersecurity
back-channels, but participation is entirely voluntary. That's one reason
the European Union passed the General Data Protection Regulation, going
into effect May 2018, which will force companies that do business in the EU
and the United Kingdom to promptly disclose when personal data is breached.

Lawmakers in the U.S. are urging Congress to follow suit. Rep. Langevin
reintroduced the Personal Data Notification and Protection Act, first
proposed by President Obama in 2015. Co-sponsors include Rep. Ted Lieu (D.,
Calif.) and Rep. Carol Shea-Porter (D., N.H.). All three are members of the
bipartisan Congressional Cybersecurity Caucus.

Meanwhile, Republican lawmakers are gearing up for hearings that will
surely include grilling Equifax executives, but have yet to call for
regulations. House Energy and Commerce Committee Chairman Greg Walden (R.,
Ore.) has said that until those fact-finding hearings are complete, he
doesn't want to pre-emptively put forward legislation.

Many companies and analysts object to proposed legislation, in part because
they believe that should it come to pass, companies would prioritize
compliance -- following the letter of the law and appearing to do the right
thing -- rather than actually dealing with the fast-moving problem of
cybersecurity, says Andrea O'Sullivan, program manager of the technology
policy program for the pro-market Mercatus Center at George Mason
University.

Companies don't want to be embarrassed or face the increased costs of
having to disclose when people's data is leaked, and there is also a
concern that should companies be forced to report every breach, it could
lead to "data breach fatigue," where regulators are overwhelmed and the
public throws up its hands at a problem that feels too pervasive to fix.
(One could argue we're already past that point.)

Transparency could actually give companies herd immunity. Existing
voluntary breach reporting systems allow companies to share data on the
nature of cyberattacks as soon as they occur. If reporting were mandatory,
more companies could be quicker to defend against new attack vectors and
new bad actors.

And, needless to say, strong cybersecurity is quickly becoming a selling
point for savvy financial businesses.

Even regulation-averse politicians have cause to support a data-breach
disclosure law at the federal level, says Rep. Langevin. It would simplify
the issue for businesses by pre-empting the patchwork of 48 state laws,
dating back to 2003, that currently govern what companies have to do in the
event of a breach of personal data.

Rep. Langevin argues that, had it been in place already, the Personal Data
Notification and Protection Act would have had a direct impact in the case
of the Equifax hack, and in previous hacks that inspired the bill.

Under this proposed legislation, Equifax would have had to disclose its
breach within 30 days -- not the six weeks it took -- to the FTC and the
Department of Homeland Security, which would become central clearinghouses
for breach information.

Companies that fail to meet the requirements would face a raft of
penalties, including fines of up to $1 million per violation. They'd be
liable for civil penalties in lawsuits from states attorneys general, with
no limit on the damages that could be recovered if the company is found to
have acted willfully or intentionally.

Even absent such efforts at the federal level, the coming EU regulations
will force many large U.S. companies to get better at cybersecurity and,
more important, improve their data collection and storage policies, says
Charlie Wedin, a partner at international law firm Osborne Clarke. His firm
is helping companies prepare for the EU rules. "What compulsory breach
notification is doing is putting this on the board agenda, and they're
focusing on this like never before," he says.

What we really need to do is start treating data safety with the same
seriousness we apply to airplane and automobile safety.

This could happen with a one-two punch of regulatory and market-based
solutions. Forced to buy car insurance, we make certain economic decisions
about how, what and when we drive. Meanwhile, seatbelt laws have saved
millions of lives. Along these same lines, mandatory disclosure would force
companies to think more about their security in the first place -- and even
consider buying cyber insurance. And damage done by irresponsible companies
could be minimized.

When Equifax was breached, hackers got birthdates, Social Security numbers
and other hard facts about most of us. This data has the power to ruin our
financial lives, so it's time we all took interest in its protection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170925/a82e967f/attachment.html>