[BreachExchange] How agencies should respond to shorter breach reporting statutes

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 5 20:58:11 EST 2018


https://gcn.com/articles/2018/03/05/breach-reporting.aspx?
admgarea=TC_SecCybersSec

Legislators increasingly criticize companies for the time it takes them to
announce cybersecurity attacks that affect millions of consumers.
Historically, most states have required that  impacted consumers be
performed “without unreasonable delay.” But recent high-profile breaches,
like those affecting Equifax, Verizon and Sonic, have prompted many states
to mandate faster reporting timelines and to enforce the deadlines with
heavy civil fines for entities who do not comply.

As of Jan. 1, 2018, Maryland joined at least five other states that have
established 45 days from the time of discovery as the deadline for publicly
disclosing a breach. Some states also require the affected entity to
provide a year of free identity theft prevention or mitigation services to
every individual affected by the breach. Just two states, Alabama and South
Dakota, currently do not have a  breach notification law in place.

The federal picture


State legislators are not the only ones paying attention to escalating
theft of private online information. For several years, the U.S. Congress
has discussed overriding the patchwork of state requirements by
establishing a national notification standard. Numerous bills have failed
to advance, but Congress is likely to continue proposing nationwide
notification measures until one passes.

One such iteration announced Dec. 1, 2017, dubbed the Data Security and
Breach Notification Act, gave entities that discover a breach 30 days to
issue a notification. On the heels of the Nov. 21 announcement that Uber
waited a year before revealing a cyber invasion that exposed 57 million
drivers’ and riders’ personal information, the proposed bill would make it
a crime -- punishable by up to five years in prison -- to purposely conceal
a breach.

Breach notification bills have stalled at the national level in part
because of uncertainty about whether a federal mandate would supersede
state laws. States with stricter regulations than those in a federal
statute would be reluctant to go back to a less-rigorous reporting
deadline. Recent moves to harden reporting statutes may represent states’
attempts to preempt a national law by demonstrating they already are doing
what needs to be done to protect citizens.

The problem with reporting prematurely

Elected officials, who have a responsibility for consumer protection,
understandably want affected individuals to learn quickly about a breach so
they can take protective measures. But premature reporting carries risks
for companies and government agencies that have been hacked.

Investigating a security breach requires a forensic process to find out how
the attack happened, identify its severity, contain the threat and
determine whether -- and if so, what -- confidential information has been
compromised. A thorough investigation is crucial, and it may take weeks or
months.

While government agencies must adhere to applicable reporting laws, it is
advisable not to speculate or offer definitive statements before all the
facts are known. Releasing information prematurely can damage an agency’s
credibility and erode citizens’ trust if the information communicated later
turns out to be erroneous or inaccurate.

Striking a balance

As the increasing number of breaches collide with tighter reporting
mandates, agencies must strike a balance between protecting citizens and
taking the time required to conduct a meticulous forensic investigation.
Before a breach occurs:

1. Understand the reporting requirements. Many states’ breach-related laws
have changed over the past few years. Agencies that do business with
citizens or businesses outside their home state must report a breach
according to the dictates of the other states, as well.

2. Review agency-stored data. Discontinue storing any data that is not
necessary for conducting business. Make sure the IT team knows where all
the data is stored so they can quickly determine, if a breach occurs, which
data may have been compromised.

3. Develop a plan to announce the breach. Establish and test an incident
response plan that permits officials to disseminate information by the
reporting deadline. The plan should identify a certified forensic service
firm that can be called in immediately to conduct a comprehensive
investigation. The plan also should outline a structure for managing the
public announcement.

Adhering to reporting requirements may mean agencies that experience a
breach, must go public before they have fully determined the extent of the
incident. In that case:

- Tie initial assertions to the status of the forensic investigation.
- Be upfront about progress with the fact-finding process.
- Communicate only information verified as accurate.
- Caution that reports contain information obtained thus far.
- Acknowledge the public’s desire for as much information as possible.
- Assure authorities and the public further information will be provided as
soon as it can be verified.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180305/159a4098/attachment.html>


More information about the BreachExchange mailing list