[BreachExchange] 'Without reasonable delay' — How security breach reporting is evolving in government

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 27 18:46:01 EST 2018


Sensitive information found its way into cybercriminals’ hands in more than
two dozen major security breaches in 2017, and the rising frequency of
cyberattacks is driving a shift in thinking about data breach reporting.

In the statutes that determine how quickly the public must learn of a
breach, states generally have required notice “without unreasonable delay.”
That standard permits time for companies and government agencies who
experience data loss to research the scope of the breach and how it
happened, preserve evidence and discover information that will help prevent
future incidents.

But as breaches have become almost commonplace, some state legislatures are
beginning to shorten the time frames in which breaches must be reported.
Several states, including New Mexico and Ohio, now require disclosure no
later than 45 days after a breach is discovered. Florida allows just 30.

Most states enforce the reporting deadlines by assessing civil penalties
for failure to provide information within the mandated time frame. Fines
can run into the tens or hundreds of thousands of dollars. Florida requires
a fine of up to $500,000 if notice is not given within 180 days of the
event. In Michigan, the penalty can run up to $750,000.

Biometric data theft

Shorter notification deadlines are not the only changes some states have

States traditionally have required citizens to be notified if their
personally identifiable information (PII) — including driver’s license,
credit card or Social Security numbers — has been compromised. As biometric
technology use becomes more common to allow employees to clock in at work
or access financial accounts, companies and government will increasingly
collect and store eye and facial scans, fingerprints and other personal
biometric data, as well.

Because what is stored can be stolen, several legislatures have added
biometric data theft to their breach reporting statutes. Most recently,
Delaware passed an amendment, taking effect in April 2018, that includes
“unique biometric data generated from measurements or analysis of human
body characteristics for authentication purposes” in its data security
breach statute.

Responding to a changing landscape

When a breach occurs, condensing the time by which a report must be made is
at odds with the need to complete a forensic investigation, which may take
several months, depending on the scope of the breach. Adhering to a short
disclosure window may mean going public with incomplete information that
later could prove inaccurate, a situation that ultimately may cause more
harm than good.

Security leaders are between a bit of a rock and a hard place, but they can
take these steps to respond to the shifting data breach notification

- Develop a data classification policy that organizes the information you
collect by the impact to your constituents if its confidentiality were to
be compromised. Review your policy and inventory your data at least
annually, making changes as needed.
- Collect and store only the information you need to do business. If you
have regularly collected PII, look for alternative ways to identify those
you serve.
- Review your state’s reporting requirements. If citizens from other states
do business with you, recognize that you must adhere to those states’
stipulations, as well. Make sure you understand what is expected if a
breach occurs.
- Create an incident response plan that allows you to report within the
relevant time allotment. Among other components, your plan should include
internal and external contacts, a protocol for reaching each one and
templates and methodologies for reporting the breach to various
stakeholders. Test and update your plan annually.
 - If a breach occurs and you are required to disclose it before a forensic
investigation is complete, be clear about where the process stands. Help
constituents understand that the early reporting is incomplete and more
information will be disseminated as it becomes available.

Cyber theft will continue to be a major concern for business and government
in the year ahead. While virtually all government agencies have data
security measures in place, breaches happen. Changing disclosure
obligations make it more critical than ever that agencies be prepared to
respond if they are affected.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180227/8f8bd791/attachment.html>

More information about the BreachExchange mailing list