Comments from (ISC)² Leadership on Obama’s Call for 30-Day Breach Notification Policy for Hacked Companies validmarketio, dumpsbuysu
This proposal is a good start, but as always, the devil is in the details. Implementing this legislation would require both planning and the right people in place to execute. First, we need to consider how the term “breach” is defined – i.e., what would need to happen to require notification? If breached data is encrypted, would that require notification? Note that most states currently have some form of encryption exemption in their data breach laws. Second, the notification should be submitted in such a way so that the information is useful and doesn’t result in a backlog which would result in unnecessary delay. And let’s consider how others may benefit from that information so that the nation at large can learn from breaches and be better protected before the next attack happens. -Dan Waddell, CISSP, CAP, Director of Government Affairs, (ISC)²
I believe that this legislation can reduce breaches, but only long term. I expect that enterprises will gear up their detection, forensic and response capabilities as well as their notification protocols to be compliant. While none of those strategies directly prevent breaches, improved detection and forensics help to mitigate breach response time, while also improving data loss identification. Some of the more frustrating elements of these recent breaches include the sheer amount of time that hackers were in possession of the data and the changing stories as to who and how many records were affected. If we can shorten the amount of time between a hack and remediation, we limit the scope of the damage and ultimately, we have less consumers to notify. In the future, our greatest chance to see a reduction in breaches involves a shorter feedback and response time between the breach, detection, mitigation and public notification process.
Additionally, the 30-day notification requirement is helpful because it will allow further consumer awareness to actively monitor and protect impacted accounts and personal data. If consumers are provided with knowledge to help them react to a breach with protection measures such as credit monitoring services, replacement of credit cards and other mitigating actions quickly, the true value of the stolen data decreases significantly and could ultimately de-incentivize some of the less committed hackers.
This legislation brings information security and consumer breach response to the forefront of business requirements, rather than a mere risk management exercise. Additionally, when consumers are more informed about what is happening with their data and who handles it securely, they can certainly use that information to decide where to spend their money going forward. -Philip Casesa, CISSP, CSSLP, director of IT/Service Operations, (ISC)²
There are many dimensions of a breach. The motives may include behavioral pathology, robbery, vandalism, blackmail, revenge, anarchy, political gain or bullying. The technical means by which a breach was performed have multiple implications and possibilities for educating the public and to help better architect our defenses. -Dr. Vehbi Tasar, CISSP, CSSLP, Director of Professional Programs Development, (ISC)²
In this time of high-profile breaches and all of the attention drawn to cyberattacks, I believe this could have a decent chance of being passed. I would urge lawmakers to carefully consider the wording of any proposed legislation to ensure it allows a reasonable time for an organization to confirm the breach. For example, if an organization were allowed 30 days to notify the victim from the date that the records were breached, depending on when it was discovered, they may be in violation before they are even aware of the breach and/or its impact. I do not believe this will affect the number of breaches; however, it may minimize the damage as people would likely have a better opportunity to protect themselves. For example, if an individual knows that their phone number and email address were compromised, they may be more on the lookout for phishing attempts using that information. -Erich Kron, CISSP-ISSAP, HCISPP, Director of Membership Relations and Services, (ISC)²
“This could very well help push security teams to focus more on detection than prevention. But 30 days might not be enough time for many companies; especially when you consider findings from Verizon’s 2014 Data Breach Investigation Report. Those findings indicate that Web application attacks were the largest percentage, and time of containment is measured in weeks (22%) and months (29%).” -Bill Davison, CISSP, Security Engineer, (ISC)²