Attacks/Breaches
1/12/2015
03:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Obama Calls For 30-Day Breach Notification Policy For Hacked Companies

But chances of this becoming a mandatory national breach notification law are no sure thing, even in the wake of the past year's high-profile hacks, experts say.

As part of a the runup to his State of the Union speech on Jan. 20, President Obama proposed legislation today requiring companies hit by a data breach to inform affected customers within 30 days of discovering exposure of the data.

A national breach notification law has been the subject of a fierce battle on the Hill for years to no avail, but the specter of Sony's massive and very public breach, as well as the Year of the Retailer Breach in 2014, provided a high-profile backdrop for the president's announcement. Obama's proposed Personal Data Notification and Protection Act aims to unify the differing and often confusing mix of notification laws across 48 states.

"We're introducing new legislation to create a… strong national standard so Americans know when their information has been stolen," Obama said at a Federal Trade Commission (FTC) event today in Washington. "Under the new standard we’re proposing, companies would have to notify consumers of a breach within 30 days."

The proposed 30-day policy drew mostly praise from security experts. But policy watchers say the chances of Congress ultimately passing a mandatory disclosure law appear slim, even with the Sony breach and other high-profile incidents in the past year as prime ammunition for action.

"Mandatory notification will not pass Congress automatically or quickly," says Kristen Verderame, CEO of Pondera International, a boutique consultancy that works with startups and specializes in cyber security policy. "My experience is that the same opponents will push against any legislation on this topic, as they have in the past -- despite Sony -- and corporations will continue to use the same cost/benefit analysis to determine whether and when to make the existence of a breach public."

The new Republican-majority Congress will make any mandatory rules for businesses even more difficult to pass, Verderame says. But "harmonizing" breach notification requirements could be achieved by the administration and Congress. "The exception to this may be simply harmonizing data breach notification requirements across the country so that there is one rule for companies to follow, instead of 50. The business community supports, as do I, harmonization wherever it aids compliance."

Breach notification is a delicate dance for businesses, and if there's a relatively tight deadline imposed, it's risky for them image-wise and shareholder-wise, for instance. "Having served as an exec at a Fortune 100 company, I agree with many corporates' views that, if companies are forced to announce breaches to the public on a certain timeline that may not accommodate necessary risk and preparatory analysis, more risk of harm to the company may be caused."

Larry Clinton, president and CEO of the Internet Security Alliance, says he's hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification. The mix of different compliance requirements is a burden on many companies, he says.

"I am hopeful that we're finally at the stage where we can move some of these pieces through Congress and the administration… because we've seen a natural maturation process, with a number of different bills going through Congress," Clinton says. "We might be at the right maturation point."

Battling ID theft
Obama's proposed legislation also would criminalize "illicit overseas trade in identities," according to the White House.

In addition, the president set out related proposals for identity theft protection, announcing that JPMorgan Chase and Bank of America had teamed up with Fair Isaac Corp. (FICO) to make credit scores free to their consumer card customers. USAA and State Employees' Credit Union will do the same, and Ally Financial will make this information available to its auto loan customers, according to the White House.

"Through this effort over half of all adult Americans with credit scores will now have access to this tool to help spot identity theft, through their banks, card issuers, or lenders," the White House said.

"The more we do to protect consumer information and privacy, the harder it is for hackers to damage our businesses and hurt our economy," Obama said at the FTC event.

Ken Levine, CEO of Digital Guardian, says the devil's in the details. "Breach notification is a good idea, depending on the definition of a breach. From a public perspective, there's always that fine line between so many breach notifications desensitizing people to the problem, or overly panicking."

[When an attacker wants nothing more than to bring ruin upon your business, you can't treat that attacker like just any criminal. Just ask Sony. Read How NOT To Be The Next Sony: Defending Against Destructive Attacks.]

Today's announcements kicked off a week of pre-State of the Union cyber security and privacy initiatives. The other initiatives being announced by the administration this week include a proposed Student Digital Privacy Act, which would ensure any data collected in education environments isn't sold to third parties for targeted advertising or other non-educational purposes; new Department of Education services to protect students' privacy, including teacher training to help protect student data; a Voluntary Code of Conduct by which utilities and related third parties would pledge to protect customers' electricity data; and Customer Privacy Bill of Rights legislation, which would ensure online consumer data collection is not abused.

And that's not all: When he visits the National Cybersecurity and Communications Integration Center tomorrow, Obama is expected to talk about beefing up cyber security information sharing between the government and private industry. The long-debated and still-stalled Cyber Intelligence Sharing and Protection Act (CISPA) will likely be front and center of that discussion. That bill aims to provide liability protection for companies that share attack intelligence, but privacy advocates aren't convinced that it would truly provide confidentiality and instead wouldn't lead to privacy-invading government monitoring.

CISPA isn't a cure-all for preventing breaches, either. "What concerns me about CISPA is that it will tempt organizations to focus on indicators of compromise and not a solid security program," says Ron Gula, CEO and CTO at Tenable Network Security. "If the government gives out a list of bad actors, organizations may feel they are doing enough -- and have invested enough -- if they don't have any evidence of those bad actors on their network." The bill wouldn't have prevented Sony's massive attack, despite pressure in Congress to pass CISPA in the wake of that breach.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/14/2015 | 9:19:49 AM
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
" Larry Clinton, president and CEO of the Internet Security Alliance, says he's hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification. The mix of different compliance requirements is a burden on many companies, he says." This ranks high among the important aspects of any proposed legislation regarding breach notification. Can you imagine how much confusion would be caused if a data breach had to be disclosed according to the different provisions of 50 state laws plus the federal law? Any federal legislation should be at least as strict as the most stringent of all the state laws. In that scenario, breach notification would be much simpler for any organization.

"Under the new standard we're proposing, companies would have to notify consumers of a breach within 30 days." As far as the notification timeframe is concerned, 30 days seems a bit long. Here is why I think that way. Confirmation of a breach may take more time that most people realize, given the many clever ways that leaves an organization without proper authorization; it could take days or weeks to confirm exfiltration. Further, it may take an even much longer time to even discover an intrusion. So an organization that has been breached has had plenty of time to gather information and compose a notification. In my opinion, the timeframe should be between 7-14 days.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/14/2015 | 8:45:59 AM
Re: The Rainbow books > 30 days too long? 7 days too short?
That's correct, @marilyn. But who knows how a final bill would be worded--hopefully, not with too much wiggle room.
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Guru
1/13/2015 | 2:27:02 PM
Re: Nice plan, but still too long
Call me crazy (especially in these Twilight Zone times), but the CEO and company officers' primary job is to enhance and protect the company's bottom line - otherwise, they are out of a job and the company closes. Also, it's easy to say "the company should just spend more money" when you aren't the one being held accountable to profitability. Cyber security consultants are EXPENSIVE, espcially when they are getting paid a premium to discover and close a breach.

I agree that companies should report breaches, but the problem with this, as in all government solutions, is that they create a "one size fits all" solution that rarely fits even 10% of its target. As pointed out here, what defines a brech? If they find it and don't find a way to close it in 30 days, then the government legislation now makes that company a target. I am pretty sure you don't want that, right? 

I think the market has already started forcing companies to reevaluate their cyber security and privacy policies. We don't need any MORE government interference here - the market has already started adjusting.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:51:38 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
I believe the clock starts ticking in the Obama proposal when a breach is confirmed, which makes sense to me.
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
1/13/2015 | 12:35:06 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
The amount to time elapsed before reporting a breach is very different between the laws in the various states.  In some cases they identify specifically what would be in scope for a disclosure and what would not.  A national law would at least standardize the approach.  Another consideration that is very different in some of the states is when the clock starts ticking, some require notification only after a breach is "confirmed", others require notification if a breach is "suspected".

This could be a very grey area and could give lots of "wiggle room".  I haven't seen a company yet that was eager to reveal a breach or sytem weakness.  There will be a lot of pushback on this I would predict.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
1/13/2015 | 12:27:39 PM
Nice plan, but still too long
I appreciate that these companies don't want to lose too much business over a breach, but it was their security breach. If they didn't want it to happen, surely they should just invest more in security?

It customer details have been stolen, particularly financial information, companies shuold be required to report it as soon as the extent of the damage is understood. 7 days seems far more reasonable, as people may need to cancel credit cards ot change certain account information to prevent their identities being stolen.

It seems very self-centered to only think about your company's bottom line when your lax security has allowed your customers to suffer. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:06:24 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
I don't know, @Midnight. 30 days sounds reasonable to me. 7 days seems kind of short. What do others think?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:02:44 PM
Re: a bit late
thanks for the link @SgS125. I'm making it live: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

Also totally agree with your idea for a central place for security pros to report attacks etc. would be a great idea.

 
Midnight
50%
50%
Midnight,
User Rank: Apprentice
1/13/2015 | 11:13:52 AM
The Rainbow books
Way back in the 80's (yes those eons ago) there was a collection of venerable books for the military on data security. Thin books each a different color, thus dubbed the rainbow books. The policies were dogmatic, draconian and, well, "military" but sound, unargueable and solid. Very common sense writing in clear understandable writing. I would suggest in the wake of these breaches, that they are reviewed again as a ruler for comparision. I'll bet that you will find a rule broken every step of the way, for every compromise, every error in the Sony attack. It was preventable.

That being said, 30 days? make it 7. Businesses deserve the profitability slapdown when they don't take care of the business infrastructure. It's called "minding the shop." No excuse is acceptable when the doors are wide open and no-one's home.
SgS125
50%
50%
SgS125,
User Rank: Ninja
1/13/2015 | 9:33:09 AM
Re: a bit late
Every state has breach notification laws.

What we really need is a place to report Internet Crime that results in action being taken.

The FBI has a site to report stuff, but you never hear anything back from them, ever.

I need a place to report brute force attacks, attempts to break web servers, and attempts to inject malware into what I protect.  If we simply went after the bad actors and really tried to catch them I think it would make a big difference to those people who can just blast away at your infrastructure with no worry about getting punished.

 

It does only when they do something big that we even hear that the FBI is interested.   Like SONY.

The rest of us just keep plugging along hoping we don't get compromised by some zero day exploit that has been kept a secret for someone's use.

here is a nice list of the current reporting laws:

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

 
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas and her guest, David Shearer, (ISC)2 Chief Executive Officer, as they discuss issues that keep IT security professionals up at night, including results from the recent 2016 Black Hat Attendee Survey.