Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/14/2015 | 9:19:49 AM
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
" Larry Clinton, president and CEO of the Internet Security Alliance, says he's hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification. The mix of different compliance requirements is a burden on many companies, he says." This ranks high among the important aspects of any proposed legislation regarding breach notification. Can you imagine how much confusion would be caused if a data breach had to be disclosed according to the different provisions of 50 state laws plus the federal law? Any federal legislation should be at least as strict as the most stringent of all the state laws. In that scenario, breach notification would be much simpler for any organization.

"Under the new standard we're proposing, companies would have to notify consumers of a breach within 30 days." As far as the notification timeframe is concerned, 30 days seems a bit long. Here is why I think that way. Confirmation of a breach may take more time that most people realize, given the many clever ways that leaves an organization without proper authorization; it could take days or weeks to confirm exfiltration. Further, it may take an even much longer time to even discover an intrusion. So an organization that has been breached has had plenty of time to gather information and compose a notification. In my opinion, the timeframe should be between 7-14 days.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/14/2015 | 8:45:59 AM
Re: The Rainbow books > 30 days too long? 7 days too short?
That's correct, @marilyn. But who knows how a final bill would be worded--hopefully, not with too much wiggle room.
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Guru
1/13/2015 | 2:27:02 PM
Re: Nice plan, but still too long
Call me crazy (especially in these Twilight Zone times), but the CEO and company officers' primary job is to enhance and protect the company's bottom line - otherwise, they are out of a job and the company closes. Also, it's easy to say "the company should just spend more money" when you aren't the one being held accountable to profitability. Cyber security consultants are EXPENSIVE, espcially when they are getting paid a premium to discover and close a breach.

I agree that companies should report breaches, but the problem with this, as in all government solutions, is that they create a "one size fits all" solution that rarely fits even 10% of its target. As pointed out here, what defines a brech? If they find it and don't find a way to close it in 30 days, then the government legislation now makes that company a target. I am pretty sure you don't want that, right? 

I think the market has already started forcing companies to reevaluate their cyber security and privacy policies. We don't need any MORE government interference here - the market has already started adjusting.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:51:38 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
I believe the clock starts ticking in the Obama proposal when a breach is confirmed, which makes sense to me.
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
1/13/2015 | 12:35:06 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
The amount to time elapsed before reporting a breach is very different between the laws in the various states.  In some cases they identify specifically what would be in scope for a disclosure and what would not.  A national law would at least standardize the approach.  Another consideration that is very different in some of the states is when the clock starts ticking, some require notification only after a breach is "confirmed", others require notification if a breach is "suspected".

This could be a very grey area and could give lots of "wiggle room".  I haven't seen a company yet that was eager to reveal a breach or sytem weakness.  There will be a lot of pushback on this I would predict.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
1/13/2015 | 12:27:39 PM
Nice plan, but still too long
I appreciate that these companies don't want to lose too much business over a breach, but it was their security breach. If they didn't want it to happen, surely they should just invest more in security?

It customer details have been stolen, particularly financial information, companies shuold be required to report it as soon as the extent of the damage is understood. 7 days seems far more reasonable, as people may need to cancel credit cards ot change certain account information to prevent their identities being stolen.

It seems very self-centered to only think about your company's bottom line when your lax security has allowed your customers to suffer. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:06:24 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
I don't know, @Midnight. 30 days sounds reasonable to me. 7 days seems kind of short. What do others think?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:02:44 PM
Re: a bit late
thanks for the link @SgS125. I'm making it live: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

Also totally agree with your idea for a central place for security pros to report attacks etc. would be a great idea.

 
Midnight
50%
50%
Midnight,
User Rank: Apprentice
1/13/2015 | 11:13:52 AM
The Rainbow books
Way back in the 80's (yes those eons ago) there was a collection of venerable books for the military on data security. Thin books each a different color, thus dubbed the rainbow books. The policies were dogmatic, draconian and, well, "military" but sound, unargueable and solid. Very common sense writing in clear understandable writing. I would suggest in the wake of these breaches, that they are reviewed again as a ruler for comparision. I'll bet that you will find a rule broken every step of the way, for every compromise, every error in the Sony attack. It was preventable.

That being said, 30 days? make it 7. Businesses deserve the profitability slapdown when they don't take care of the business infrastructure. It's called "minding the shop." No excuse is acceptable when the doors are wide open and no-one's home.
SgS125
50%
50%
SgS125,
User Rank: Ninja
1/13/2015 | 9:33:09 AM
Re: a bit late
Every state has breach notification laws.

What we really need is a place to report Internet Crime that results in action being taken.

The FBI has a site to report stuff, but you never hear anything back from them, ever.

I need a place to report brute force attacks, attempts to break web servers, and attempts to inject malware into what I protect.  If we simply went after the bad actors and really tried to catch them I think it would make a big difference to those people who can just blast away at your infrastructure with no worry about getting punished.

 

It does only when they do something big that we even hear that the FBI is interested.   Like SONY.

The rest of us just keep plugging along hoping we don't get compromised by some zero day exploit that has been kept a secret for someone's use.

here is a nice list of the current reporting laws:

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

 
Page 1 / 2   >   >>


News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29370
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
CVE-2021-3460
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version 2.0.0.301, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
CVE-2021-3462
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could allow unauthorized access to the driver's device object.
CVE-2021-3463
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version 1.67.17.54, that could cause systems to experience a blue screen error.
CVE-2021-3471
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.