Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Ninja
1/14/2015 | 9:19:49 AM
Obama Calls For 30-Day Breach Notification Policy For Hacked Companies
" Larry Clinton, president and CEO of the Internet Security Alliance, says he's hopeful that the administration and Congress will come up with a single national standard that streamlines and unifies the various state laws in breach notification. The mix of different compliance requirements is a burden on many companies, he says." This ranks high among the important aspects of any proposed legislation regarding breach notification. Can you imagine how much confusion would be caused if a data breach had to be disclosed according to the different provisions of 50 state laws plus the federal law? Any federal legislation should be at least as strict as the most stringent of all the state laws. In that scenario, breach notification would be much simpler for any organization.

"Under the new standard we're proposing, companies would have to notify consumers of a breach within 30 days." As far as the notification timeframe is concerned, 30 days seems a bit long. Here is why I think that way. Confirmation of a breach may take more time that most people realize, given the many clever ways that leaves an organization without proper authorization; it could take days or weeks to confirm exfiltration. Further, it may take an even much longer time to even discover an intrusion. So an organization that has been breached has had plenty of time to gather information and compose a notification. In my opinion, the timeframe should be between 7-14 days.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
1/14/2015 | 8:45:59 AM
Re: The Rainbow books > 30 days too long? 7 days too short?
That's correct, @marilyn. But who knows how a final bill would be worded--hopefully, not with too much wiggle room.
User Rank: Guru
1/13/2015 | 2:27:02 PM
Re: Nice plan, but still too long
Call me crazy (especially in these Twilight Zone times), but the CEO and company officers' primary job is to enhance and protect the company's bottom line - otherwise, they are out of a job and the company closes. Also, it's easy to say "the company should just spend more money" when you aren't the one being held accountable to profitability. Cyber security consultants are EXPENSIVE, espcially when they are getting paid a premium to discover and close a breach.

I agree that companies should report breaches, but the problem with this, as in all government solutions, is that they create a "one size fits all" solution that rarely fits even 10% of its target. As pointed out here, what defines a brech? If they find it and don't find a way to close it in 30 days, then the government legislation now makes that company a target. I am pretty sure you don't want that, right? 

I think the market has already started forcing companies to reevaluate their cyber security and privacy policies. We don't need any MORE government interference here - the market has already started adjusting.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:51:38 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
I believe the clock starts ticking in the Obama proposal when a breach is confirmed, which makes sense to me.
Ed Telders
Ed Telders,
User Rank: Apprentice
1/13/2015 | 12:35:06 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
The amount to time elapsed before reporting a breach is very different between the laws in the various states.  In some cases they identify specifically what would be in scope for a disclosure and what would not.  A national law would at least standardize the approach.  Another consideration that is very different in some of the states is when the clock starts ticking, some require notification only after a breach is "confirmed", others require notification if a breach is "suspected".

This could be a very grey area and could give lots of "wiggle room".  I haven't seen a company yet that was eager to reveal a breach or sytem weakness.  There will be a lot of pushback on this I would predict.
User Rank: Ninja
1/13/2015 | 12:27:39 PM
Nice plan, but still too long
I appreciate that these companies don't want to lose too much business over a breach, but it was their security breach. If they didn't want it to happen, surely they should just invest more in security?

It customer details have been stolen, particularly financial information, companies shuold be required to report it as soon as the extent of the damage is understood. 7 days seems far more reasonable, as people may need to cancel credit cards ot change certain account information to prevent their identities being stolen.

It seems very self-centered to only think about your company's bottom line when your lax security has allowed your customers to suffer. 
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:06:24 PM
Re: The Rainbow books > 30 days too long? 7 days too short?
I don't know, @Midnight. 30 days sounds reasonable to me. 7 days seems kind of short. What do others think?
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:02:44 PM
Re: a bit late
thanks for the link @SgS125. I'm making it live: http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

Also totally agree with your idea for a central place for security pros to report attacks etc. would be a great idea.

User Rank: Apprentice
1/13/2015 | 11:13:52 AM
The Rainbow books
Way back in the 80's (yes those eons ago) there was a collection of venerable books for the military on data security. Thin books each a different color, thus dubbed the rainbow books. The policies were dogmatic, draconian and, well, "military" but sound, unargueable and solid. Very common sense writing in clear understandable writing. I would suggest in the wake of these breaches, that they are reviewed again as a ruler for comparision. I'll bet that you will find a rule broken every step of the way, for every compromise, every error in the Sony attack. It was preventable.

That being said, 30 days? make it 7. Businesses deserve the profitability slapdown when they don't take care of the business infrastructure. It's called "minding the shop." No excuse is acceptable when the doors are wide open and no-one's home.
User Rank: Ninja
1/13/2015 | 9:33:09 AM
Re: a bit late
Every state has breach notification laws.

What we really need is a place to report Internet Crime that results in action being taken.

The FBI has a site to report stuff, but you never hear anything back from them, ever.

I need a place to report brute force attacks, attempts to break web servers, and attempts to inject malware into what I protect.  If we simply went after the bad actors and really tried to catch them I think it would make a big difference to those people who can just blast away at your infrastructure with no worry about getting punished.


It does only when they do something big that we even hear that the FBI is interested.   Like SONY.

The rest of us just keep plugging along hoping we don't get compromised by some zero day exploit that has been kept a secret for someone's use.

here is a nice list of the current reporting laws:


Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...