Risk
2/7/2014
09:06 AM
Connect Directly
RSS
E-Mail
50%
50%

Data Breach Notifications: Time For Tough Love

Target and Neiman Marcus came clean quickly about their data breaches, but most business don't. It's time for standards -- and fines.

Should businesses that suffer a data breach be legally required to issue a prompt notification to affected consumers?

The White House thinks so. Mythili Raman, the acting assistant attorney general at the Department of Justice, told the Senate Judiciary Committee Tuesday that the White House is proposing the creation of a "consistent national standard" that would require businesses to "provide prompt notice to consumers in the wake of a breach." Breaches involving sensitive information pertaining to 5,000 or more people, as well as any breach involving federal or law enforcement databases, would also have to be reported to federal law enforcement agencies within 10 days of being discovered.

What counts as prompt? A suit filed last month by California attorney general Kamala Harris against Kaiser Foundation Health Plan provides one answer. In 2011, Kaiser lost a hard drive that contained personal information -- names, addresses, birth dates, Social Security numbers -- for 20,539 Kaiser employees and their families. "Kaiser regained custody of the hard drive in December 2011 and conducted a forensic analysis to determine the types of data it contained," according to a blog post from the law firm Hogan Lovells.

Kaiser officials then waited three months to notify affected individuals. California state law requires breached organizations to notify affected consumers "in the most expedient time possible and without unreasonable delay." Cue the state suing Kaiser for $2,500 for each violation -- which could add up to a $51.3 million fine. "The state alleges that this three-month delay was unwarranted and violated California's unfair competition law," according to Hogan Lovells.

[Do you have control over your data? See Data Governance Plans: Many Companies Don't Have One.]

Eva Casey Velasquez, president and CEO of the nonprofit Identity Theft Resource Center (ITRC), told us that, besides helping to protect affected consumers, states use breach notification laws to deter otherwise legitimate businesses from cutting corners. "Law enforcement also has that obligation to ensure that they keep that playing field level, so businesses don't have an unfair advantage if they don't disclose that information."

In the wake of the breaches at Target, Neiman Marcus, and other retailers, requiring breached businesses to issue prompt and informative notifications to affected consumers has become a legislative rallying cry. "I am working on legislation that would foster quicker notification by replacing the multiple -- and sometimes conflicting -- state notification regimes with a single, uniform federal breach notification regime," Rep. Lee Terry (R-NE) said Wednesday during a House Energy and Commerce Committee hearing.

Likewise, Sen. Dianne Feinstein (D-CA) -- co-author of the Data Security and Breach Notification Act introduced Jan. 30 -- has argued that businesses should make a prompt notification directly to affected consumers. "The public notification is always vague," she said at the Senate Judiciary Committee hearing Tuesday.

This isn't the first time some legislators have attempted to tackle these issues. Feinstein introduced a national mandatory breach notification bill in 2003. It died, as have subsequent efforts.

Instead, many US organizations are now governed by a patchwork of notification requirements, including laws on the books in 47 states -- Alabama, Michigan, and Missouri, you're out of luck -- only some of which require direct consumer notification. Health data breaches involving 500 or more records, meanwhile, require that a notification be made directly to affected people, while smaller breaches must only be reported annually to the Department of Health and Human Services.

But, as Feinstein has noted, not all notifications are created equal. Over the past seven years, for example, 42% of reported breaches haven't detailed -- to state attorneys general or affected consumers -- the number of compromised records, according to the ITRC, which tracks public breach notifications. A whopping one-third of notifications don't include any details about the breach.

In other words, not all businesses behave like Target, which issued a clear notification to affected consumers within seven days, and then again in January, after investigators found 70 million customer records had been stolen. Likewise, Neiman Marcus said it notified affected customers 37 days after learning about the breach, which involved up to 1.1 million credit cards. But Feinstein (a Neiman Marcus shopper) said Tuesday that she'd received no such notification.

Timing wise, those two retailers were on the hook after journalist Brian Krebs published separate reports that payment processors had traced unusual levels of fraud to both of those businesses. They had little choice but to own up -- and quickly.

Why not hold all breached businesses to a preset consumer-notification timeline? In fact, the ITRC's Casey Velasquez warned against that approach and said some breaches are more complex than others. "We have to weigh the right of people to know that their information has been breached and compromised with the good of knowing all of the information at once."

She also warned against trickling information out to affected consumers. "I'm not certain that it's better to tell people in chunks. If you say something like 'You must notify them within 24 hours,' and you aren't able to give them the full picture... that does more harm than good." Partially notified consumers have no way of knowing what, if any, actual risks they might face. Breach fatigue -- and subsequent inertia -- may also result.

The Target and Neiman Marcus breaches aside, the widespread paucity of particulars in notifications suggests that many breached businesses haven't invested in an IT infrastructure -- backed by rigorous security policies -- designed to help digital forensic investigators unpeel hack attacks. Take this week's disclosure by St. Joseph Health System that it suffered a security breach from Dec. 16 to Dec. 18. Officials said the breach may have exposed 405,000 past and current patients' records, as well as employee information. But digital forensic investigators hired by the hospital can't tell for sure.

Incomplete breach notifications make a mockery of any notion of corporate responsibility, especially given the immense amount of wasted time and stress -- not to mention privacy violations -- facing consumers when a business loses their personal information or financial details. Why, then, are consumers left to clean up the mess?

If Congress wants retailers and other businesses that handle customer data to get serious about securing it, let's start by implementing a parking garage model, akin to how you take a ticket when you drive into the garage and then pay when you leave for the number of hours you parked. Lost your ticket? Then you pay the maximum amount.

Do the same for data breaches. If a business can't detail how it was breached or how many customer records, health records, or credit card accounts were stolen, then just presume every record has been compromised. Make it the responsibility of businesses and government agencies to prove otherwise. Maybe then more of them will begin taking data breach prevention seriously.

InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from one another and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
2/7/2014 | 9:28:21 AM
A complicated issue
This is really a complicated issue, even a kind of paradox. The data breach happens and the enterprise is the first victim. Its business data got exposed, which will result in monetary loss. Then the enterprise need to be responsible for its own customers. The issue of data breach notification is an extremly tough task - how do you do the wording to make public set with the fact stated in the notification? How do you evaluate the actual loss?...
RobPreston
50%
50%
RobPreston,
User Rank: Apprentice
2/7/2014 | 9:37:51 AM
Re: A complicated issue
I'm generally not a fan of adding more regulations, but this one seems like a no-brainer. As a customer, that is my data that I've entrusted to the vendor. There's an implied covenant that the vendor will protect it. Should that vendor get breached and my data get stolen, I have a right to know about that. If someone broke into my locker at my local fitness club and stole my sneakers, wouldn't the club have the responsibility to tell me if it knew about the break-in? Even more so with data--because getting notification might allow me to do something about the situation after the fact.
WKash
50%
50%
WKash,
User Rank: Apprentice
2/18/2014 | 4:56:04 PM
Re: A complicated issue
One of the legitimate challenges companies face in reporting data breaches is the patchwork of laws they face in 46 states, plus the District of Columbia, and US territories.  Even doing the right thing can take a long time to figure out.

There's good reason to worry if the federal government steps in with another layer of regulation, but there's merit in standardizing responses to data breaches for companies and their customers. So there may be some good news in the bill introduced this week by Sen. Tom Carper (D-Del.) and Sen. Roy Blunt (R-Mo.) to provide a comprehensive national framework. As they noted, consumers across the country aren't uniformly protected the hodge podge of rules and guidelines cmpanies must follow just aren't that helpful or effective in today's national economy.

 
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
2/7/2014 | 7:16:00 PM
Re: A complicated issue
I have never experienced a data loss event in my career, but I can imagine the hardship that would come from it.

You are stuck in the middle of a really bad problem - oftentimes organizations probably don't even know at first the extent of the breach and how they should properly communicate what the problem is.

This is why many comapnies who are confronted with this problem appear to be fumbling around for the right responses - they initially don't know what to sat. 
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/10/2014 | 3:46:24 AM
Re: A complicated issue
It is in the business's interest to protect its customers, their data and privacy. Without a sense of security e-commerce would be nonexistent, if the level of security that a firm provides to their customers is high then a breach is going to take extra time to investigate. If a non-encrypted hard disk was stolen then it is easy to report: a hard disk containing usernames etc has been stolen. But if an encrypted hard disk has been stolen it depends on the level of encryption employed and the ability/resources needed to access the information which would determine whether the data containing on the hard disk can even be used in a negative fashion.  
RichK211
50%
50%
RichK211,
User Rank: Apprentice
2/7/2014 | 10:14:01 AM
Companies That Disclose Crises Protect Reputation
Great idea to mandate disclosure but companies from every industry should want to do that anyway to protect long term reputation and profits. Here are some of my thoughts on the Target matter about how the company handled its public disclosure of the data breach.

http://www.riskandinsurance.com/target-as-target/
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
2/7/2014 | 12:22:20 PM
Competitive differentiator
I love the parking ticket rule. And, it seems like only a matter of time until businesses spring up that promise NOT to hold any personal data. If I had a choice between Store A that mines the crap out of my info and keeps my CC numbers and Store B that doesn't -- and can prove it via third-party inspection -- guess where I'm shopping.
ChrisMurphy
50%
50%
ChrisMurphy,
User Rank: Apprentice
2/7/2014 | 5:58:10 PM
Re: Competitive differentiator
Or, might it spur more companies to use encryption routinely? Some states exempt companies from disclosure if the data's encrypted.  
Brian.Dean
50%
50%
Brian.Dean,
User Rank: Apprentice
2/10/2014 | 4:22:13 AM
Re: Competitive differentiator
A low encryption level is better than no encryption. Medium encryption is better than low encryption and so forth. And I take that the higher up we go, the higher will be the cost to deploy encryption. If a state exempts companies from disclosures if they had the data encrypted, it makes sense because it illustrates that the company was thinking about security, but how will a state decide which level of encryption is acceptable.

If a company genuinely cares for security it will not employ the bare minimum that is required by law, but will employ whatever is best based on the level of revenue its service generates, if the bare minimum by law is set too high and SME enterprise cannot earn a profit while enabling encryption then the business will close shop.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/10/2014 | 9:50:44 AM
Re: Competitive differentiator
In today's connected world, retailers must view the job of maintaining the security of their custmers personal identiy information as a cost of doing business. It seems to me that a third-party certification of some sort against some standard -- encryption or other -- would be the best way to do that.
Li Tan
50%
50%
Li Tan,
User Rank: Apprentice
2/13/2014 | 12:18:21 AM
Re: Competitive differentiator
Marilyn, I am fully with you - keeping the confidential information in secure and secret place is the basic business requirement. The enterprise should keep this in mind and bear the cost. The third-party certification like the ones issued by CA would be a good choice but the implementation of it should be re-enforced. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/18/2014 | 4:38:26 PM
Re: Competitive differentiator
I thinkPCI-DSS SHOULD  be seen as a third-party certifier and protection for card holder. But based on recent events, we definitely need something more..
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.