Attacks/Breaches
6/17/2011
01:01 PM
Connect Directly
RSS
E-Mail
50%
50%

How Fast Should Companies Come Clean On Breaches?

Disclosing them too quickly can compromise investigations, security experts warn.

Are companies notifying consumers quickly enough after their personal data has been exposed via a security breach?

The speed of such notifications seems to be a key question now. Earlier this month, the House Committee on Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade peppered representatives from two breached companies with questions ranging from how they'd secured their data, to how quickly they'd notified affected customers.

Sony Network Entertainment president Tim Schaaff, who oversees both the business and technical aspects of the Sony PlayStation Network and Qriocity services, detailed how an attack "unprecedented in its size and scope" compromised both of those services, as well as Sony Online Entertainment, resulting in more than 100 million exposed user accounts. But Schaaff told the hearing that Sony waited only three days to notify customers after discovering the first breaches, on April 19. (Of course, Sony's troubles haven't stopped there. The day of Schaaff's testimony, the LulzSec hacking group released details from 150,000 Sony Pictures website user accounts, and more hacks have followed.)

Meanwhile, Epsilon's general counsel, Jeanette Fitzgerald, provided more details about the breach of its email marketing platform that put millions of customers of more than 50 major companies--including Best Buy, Citibank, and Verizon--at risk from spear phishing. In terms of response time, Fitzgerald said her company detected the breach of its email platform on March 30, notified the Secret Service on April 1, and issued a public warning on the same day.

In contrast, Honda Canada (not present at the hearing) suffered a data breach in March but waited until May to inform customers. One reader speculated in a recent story comment, "Honda took their time to figure out how to protect themselves before considering the impact on their customers!" A lawsuit by Canadian consumers affected by the breach likewise alleges that Honda didn't move in a timely manner.

During the hearing, chaired by Rep. Mary Bono Mack (R-Calif.), legislators appeared to be grappling with the question of how quickly businesses should notify customers after a security breach. According to Reuters, legislation proposed by Mack would require mandatory data breach notifications. The bill is now being tweaked after criticisms that it isn't rigorous enough.

The issue: The current version of the bill requires companies to notify law enforcement agencies within 48 hours of discovering they've been breached, and stipulates that consumers would then have to be notified after the resulting investigation concludes. Realistically, that could span many months. Revisions to the bill, however, might cap the consumer notification grace period at 60 days after a breach is discovered, said a senior policy adviser to Mack.

What's the optimal time for notifying consumers when their data has been breached? It's easy to say Honda moved too slowly, or that Epsilon and Sony did right by moving quickly. But there aren't any pat answers.

As part of the House hearing, Sony's Schaaff cautioned against mandating timelines. "Laws--and common sense--provide for companies to investigate breaches, gather the facts, and then report data losses publicly," he said. "If you reverse that order--issuing vague or speculative statements before you have specific and reliable information--you either confuse and panic people, without giving them useful facts, or you bombard them with so many announcements that they become background noise."

In cases involving negligence (such as a lost USB drive), affected organizations should come clean quickly, but after cyber attacks, before going public "you want to have conducted your investigation thoroughly," says data breach expert Larry Ponemon, chairman and founder of the Ponemon Institute. "It's better to be slow and surgical rather than fast and inaccurate." Such inaccuracies often result in organizations having to continually revise estimates of breach severity.

Ponemon cites Sony as an example of what not to do. "In the Sony breach, based on my sources, it's very likely that when they discovered the data breach, they were still being attacked by the cyber criminals," he says. "So you don't want to announce the breach, because you want to get a better handle on who's attacking you."

Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7052
Published: 2014-10-19
The sahab-alkher.com (aka com.tapatalk.sahabalkhercomvb) application 2.4.9.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7056
Published: 2014-10-19
The Yeast Infection (aka com.wyeastinfectionapp) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7070
Published: 2014-10-19
The Air War Hero (aka com.dev.airwar) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7075
Published: 2014-10-19
The HAPPY (aka com.tw.knowhowdesign.sinfonghuei) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-7079
Published: 2014-10-19
The Romeo and Juliet (aka jp.co.cybird.appli.android.rjs) application 1.0.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.