Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
GonzSTL
GonzSTL,
 User Rank: Ninja
1/14/2015 | 9:19:49 AM
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
" Larry Clinton, president and CEO of the Internet Security Alliance, says he's hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification. The mix of different compliance requirements is a burden on many companies, he says." This ranks high among the important aspects of any proposed legislation regarding breach notification. Can you imagine how much confusion would be caused if a data breach had to be disclosed according to the different provisions of 50 state laws plus the federal law? Any federal legislation should be at least as strict as the most stringent of all the state laws. In that scenario, breach notification would be much simpler for any organization.

"Under the new standard we're proposing, companies would have to notify consumers of a breach within 30 days." As far as the notification timeframe is concerned, 30 days seems a bit long. Here is why I think that way. Confirmation of a breach may take more time that most people realize, given the many clever ways that leaves an organization without proper authorization; it could take days or weeks to confirm exfiltration. Further, it may take an even much longer time to even discover an intrusion. So an organization that has been breached has had plenty of time to gather information and compose a notification. In my opinion, the timeframe should be between 7-14 days.
Kelly Jackson Higgins
Kelly Jackson Higgins,
 User Rank: Strategist
1/14/2015 | 8:45:59 AM
Re: The Rainbow books > 30 days too long? 7 days too short?
That's correct, @marilyn. But who knows how a final bill would be worded--hopefully, not with too much wiggle room.
GAProgrammer
GAProgrammer,
 User Rank: Guru
1/13/2015 | 2:27:02 PM
Re: Nice plan, but still too long
Call me crazy (especially in these Twilight Zone times), but the CEO and company officers' primary job is to enhance and protect the company's bottom line - otherwise, they are out of a job and the company closes. Also, it's easy to say "the company should just spend more money" when you aren't the one being held accountable to profitability. Cyber security consultants are EXPENSIVE, espcially when they are getting paid a premium to discover and close a breach.

I agree that companies should report breaches, but the problem with this, as in all government solutions, is that they create a "one size fits all" solution that rarely fits even 10% of its target. As pointed out here, what defines a brech? If they find it and don't find a way to close it in 30 days, then the government legislation now makes that company a target. I am pretty sure you don't want that, right? 

I think the market has already started forcing companies to reevaluate their cyber security and privacy policies. We don't need any MORE government interference here - the market has already started adjusting.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/13/2015 | 12:51:38 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
I believe the clock starts ticking in the Obama proposal when a breach is confirmed, which makes sense to me.
Ed Telders
Ed Telders,
 User Rank: Apprentice
1/13/2015 | 12:35:06 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
The amount to time elapsed before reporting a breach is very different between the laws in the various states.  In some cases they identify specifically what would be in scope for a disclosure and what would not.  A national law would at least standardize the approach.  Another consideration that is very different in some of the states is when the clock starts ticking, some require notification only after a breach is "confirmed", others require notification if a breach is "suspected".

This could be a very grey area and could give lots of "wiggle room".  I haven't seen a company yet that was eager to reveal a breach or sytem weakness.  There will be a lot of pushback on this I would predict.
Whoopty
Whoopty,
 User Rank: Ninja
1/13/2015 | 12:27:39 PM
Nice plan, but still too long
I appreciate that these companies don't want to lose too much business over a breach, but it was their security breach. If they didn't want it to happen, surely they should just invest more in security?

It customer details have been stolen, particularly financial information, companies shuold be required to report it as soon as the extent of the damage is understood. 7 days seems far more reasonable, as people may need to cancel credit cards ot change certain account information to prevent their identities being stolen.

It seems very self-centered to only think about your company's bottom line when your lax security has allowed your customers to suffer. 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/13/2015 | 12:06:24 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
I don't know, @Midnight. 30 days sounds reasonable to me. 7 days seems kind of short. What do others think?
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
1/13/2015 | 12:02:44 PM
Re: a bit late
thanks for the link @SgS125. I'm making it live: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

Also totally agree with your idea for a central place for security pros to report attacks etc. would be a great idea.

 
Midnight
Midnight,
 User Rank: Apprentice
1/13/2015 | 11:13:52 AM
The Rainbow books
Way back in the 80's (yes those eons ago) there was a collection of venerable books for the military on data security. Thin books each a different color, thus dubbed the rainbow books. The policies were dogmatic, draconian and, well, "military" but sound, unargueable and solid. Very common sense writing in clear understandable writing. I would suggest in the wake of these breaches, that they are reviewed again as a ruler for comparision. I'll bet that you will find a rule broken every step of the way, for every compromise, every error in the Sony attack. It was preventable.

That being said, 30 days? make it 7. Businesses deserve the profitability slapdown when they don't take care of the business infrastructure. It's called "minding the shop." No excuse is acceptable when the doors are wide open and no-one's home.
SgS125
SgS125,
 User Rank: Ninja
1/13/2015 | 9:33:09 AM
Re: a bit late
Every state has breach notification laws.

What we really need is a place to report Internet Crime that results in action being taken.

The FBI has a site to report stuff, but you never hear anything back from them, ever.

I need a place to report brute force attacks, attempts to break web servers, and attempts to inject malware into what I protect.  If we simply went after the bad actors and really tried to catch them I think it would make a big difference to those people who can just blast away at your infrastructure with no worry about getting punished.

 

It does only when they do something big that we even hear that the FBI is interested.   Like SONY.

The rest of us just keep plugging along hoping we don't get compromised by some zero day exploit that has been kept a secret for someone's use.

here is a nice list of the current reporting laws:

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-2597
PUBLISHED: 2022-08-08
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.
CVE-2017-2631
PUBLISHED: 2022-08-08
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.
CVE-2017-2657
PUBLISHED: 2022-08-08
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.
CVE-2017-7527
PUBLISHED: 2022-08-08
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none.
CVE-2021-41615
PUBLISHED: 2022-08-08
websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). NOTE: 2.1...