Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
GonzSTL
GonzSTL,
User Rank: Ninja
1/14/2015 | 9:19:49 AM
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
" Larry Clinton, president and CEO of the Internet Security Alliance, says he's hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification. The mix of different compliance requirements is a burden on many companies, he says." This ranks high among the important aspects of any proposed legislation regarding breach notification. Can you imagine how much confusion would be caused if a data breach had to be disclosed according to the different provisions of 50 state laws plus the federal law? Any federal legislation should be at least as strict as the most stringent of all the state laws. In that scenario, breach notification would be much simpler for any organization.

"Under the new standard we're proposing, companies would have to notify consumers of a breach within 30 days." As far as the notification timeframe is concerned, 30 days seems a bit long. Here is why I think that way. Confirmation of a breach may take more time that most people realize, given the many clever ways that leaves an organization without proper authorization; it could take days or weeks to confirm exfiltration. Further, it may take an even much longer time to even discover an intrusion. So an organization that has been breached has had plenty of time to gather information and compose a notification. In my opinion, the timeframe should be between 7-14 days.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
1/14/2015 | 8:45:59 AM
Re: The Rainbow books > 30 days too long? 7 days too short?
That's correct, @marilyn. But who knows how a final bill would be worded--hopefully, not with too much wiggle room.
GAProgrammer
GAProgrammer,
User Rank: Guru
1/13/2015 | 2:27:02 PM
Re: Nice plan, but still too long
Call me crazy (especially in these Twilight Zone times), but the CEO and company officers' primary job is to enhance and protect the company's bottom line - otherwise, they are out of a job and the company closes. Also, it's easy to say "the company should just spend more money" when you aren't the one being held accountable to profitability. Cyber security consultants are EXPENSIVE, espcially when they are getting paid a premium to discover and close a breach.

I agree that companies should report breaches, but the problem with this, as in all government solutions, is that they create a "one size fits all" solution that rarely fits even 10% of its target. As pointed out here, what defines a brech? If they find it and don't find a way to close it in 30 days, then the government legislation now makes that company a target. I am pretty sure you don't want that, right? 

I think the market has already started forcing companies to reevaluate their cyber security and privacy policies. We don't need any MORE government interference here - the market has already started adjusting.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:51:38 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
I believe the clock starts ticking in the Obama proposal when a breach is confirmed, which makes sense to me.
Ed Telders
Ed Telders,
User Rank: Apprentice
1/13/2015 | 12:35:06 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
The amount to time elapsed before reporting a breach is very different between the laws in the various states.  In some cases they identify specifically what would be in scope for a disclosure and what would not.  A national law would at least standardize the approach.  Another consideration that is very different in some of the states is when the clock starts ticking, some require notification only after a breach is "confirmed", others require notification if a breach is "suspected".

This could be a very grey area and could give lots of "wiggle room".  I haven't seen a company yet that was eager to reveal a breach or sytem weakness.  There will be a lot of pushback on this I would predict.
Whoopty
Whoopty,
User Rank: Ninja
1/13/2015 | 12:27:39 PM
Nice plan, but still too long
I appreciate that these companies don't want to lose too much business over a breach, but it was their security breach. If they didn't want it to happen, surely they should just invest more in security?

It customer details have been stolen, particularly financial information, companies shuold be required to report it as soon as the extent of the damage is understood. 7 days seems far more reasonable, as people may need to cancel credit cards ot change certain account information to prevent their identities being stolen.

It seems very self-centered to only think about your company's bottom line when your lax security has allowed your customers to suffer. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:06:24 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
I don't know, @Midnight. 30 days sounds reasonable to me. 7 days seems kind of short. What do others think?
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:02:44 PM
Re: a bit late
thanks for the link @SgS125. I'm making it live: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

Also totally agree with your idea for a central place for security pros to report attacks etc. would be a great idea.

 
Midnight
Midnight,
User Rank: Apprentice
1/13/2015 | 11:13:52 AM
The Rainbow books
Way back in the 80's (yes those eons ago) there was a collection of venerable books for the military on data security. Thin books each a different color, thus dubbed the rainbow books. The policies were dogmatic, draconian and, well, "military" but sound, unargueable and solid. Very common sense writing in clear understandable writing. I would suggest in the wake of these breaches, that they are reviewed again as a ruler for comparision. I'll bet that you will find a rule broken every step of the way, for every compromise, every error in the Sony attack. It was preventable.

That being said, 30 days? make it 7. Businesses deserve the profitability slapdown when they don't take care of the business infrastructure. It's called "minding the shop." No excuse is acceptable when the doors are wide open and no-one's home.
SgS125
SgS125,
User Rank: Ninja
1/13/2015 | 9:33:09 AM
Re: a bit late
Every state has breach notification laws.

What we really need is a place to report Internet Crime that results in action being taken.

The FBI has a site to report stuff, but you never hear anything back from them, ever.

I need a place to report brute force attacks, attempts to break web servers, and attempts to inject malware into what I protect.  If we simply went after the bad actors and really tried to catch them I think it would make a big difference to those people who can just blast away at your infrastructure with no worry about getting punished.

 

It does only when they do something big that we even hear that the FBI is interested.   Like SONY.

The rest of us just keep plugging along hoping we don't get compromised by some zero day exploit that has been kept a secret for someone's use.

here is a nice list of the current reporting laws:

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-4278
PUBLISHED: 2022-12-03
A vulnerability was found in SourceCodester Book Store Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /hrm/employeeadd.php. The manipulation of the argument empid leads to sql injection. The attack may be initiated remotely. The exploit h...
CVE-2022-4279
PUBLISHED: 2022-12-03
A vulnerability classified as problematic has been found in SourceCodester Human Resource Management System 1.0. Affected is an unknown function of the file /hrm/employeeview.php. The manipulation of the argument search leads to cross site scripting. It is possible to launch the attack remotely. The...
CVE-2022-4280
PUBLISHED: 2022-12-03
A vulnerability, which was classified as problematic, has been found in Dot Tech Smart Campus System. Affected by this issue is some unknown functionality of the file /services/Card/findUser. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been ...
CVE-2022-4277
PUBLISHED: 2022-12-03
A vulnerability was found in Shaoxing Background Management System. It has been declared as critical. This vulnerability affects unknown code of the file /Default/Bd. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to t...
CVE-2022-4275
PUBLISHED: 2022-12-03
A vulnerability has been found in House Rental System and classified as critical. Affected by this vulnerability is an unknown functionality of the file search-property.php of the component POST Request Handler. The manipulation of the argument search_property leads to sql injection. The attack can ...