Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


05:46 PM

Shortened Breach Disclosure Periods Could Hurt Consumers

Breach notification window in proposed law will make disclosure less beneficial to victims.

As the SAFE Data Act data breach law made its way to the House Energy and Commerce Committee after passing through the Subcommittee on Commerce, Manufacturing and Trade last week, security experts are wondering at the wisdom of a national data breach law that requires notification within 48 hours of a breach's discovery. While delayed notifications and stonewalling from some companies have been a big problem following data breaches, some security experts believe that an exaggeratedly short notification window will actually end up hurting consumers rather than helping them.

Finding that time-to-disclosure sweet spot is a delicate balance for organizations, experts say. Notify too early and you risk sending out wrong information and alarming customers who may not actually be affected by the breach. That's why many post-breach consultants recommend having a team and a plan ready to quickly conduct forensics on an incident, so that customers can be notified in a timely manner but also that the information disclosed actually helps them.

"What we recommend is doing a very thoughtful and thorough investigation to understand what happened and, more specifically, who's affected," says Tom Quilty, CEO of BD Consulting, a data breach response firm. "You have to really understand what's been exposed and whether or not there are data elements that would create higher risk for someone. Forensics investigation is a critical first step."

At the same time, letting the organization settle into analysis paralysis and taking months on end before taking the notification plunge is also a big mistake. For example, gambling establishment Bet 24 is this week feeling the effects of waiting almost two years to notify customers of a breach that had hackers pilfering their information from Bet24's database. The lengthy delay has enraged customers and taken a toll on Bet24's reputation and the case acts as a cautionary tale for businesses that wait too long to notify.

So where's the middle ground? Larry Ponemon, researcher of Ponemon Institute fame, says that a month is actually likely just about right for many consumers interested in timely notification and provides companies with enough of a buffer to assess the situation and advise customers on how to best minimize their risks.

"Our research in general shows that a systematic and thoughtful notification following a data breach is where you want to be. You want to be able to say with a high degree of accuracy that you are really communicating with people who have been injured in some way or are now victims of data loss," he says. "It's not a good idea to wait too long but you don't want to rush. You've to find that middle ground. It's usually somewhere around the 30-day period. The average person says if you can get to me within thirty days and let me know where I stand on this issue, that's probably OK."

However, if the new SAFE Data Act bill passes companies will have far less than one month to inform consumers about a breach. The bill requires "companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data" and also will mandate that breached companies inform customers within 48 hours of finding wind of an incident. Many within the security world are heralding the bill for its progressive thinking and the politicians backing it are jockeying for position as people tough on cybercrime.

"At the end of the day, I believe this legislation will greatly benefit consumers, businesses and the U.S. economy," Rep. Mary Bono Mack, author of the bill, recently told the Subcommittee on Commerce, Manufacturing and Trade. "Given the growing importance of e-commerce in nearly everything we do, we can no longer afford to sit back and do nothing. The time for action is now."

But as with many legislative mandates, this one poses some counterintuitive unintended consequences. By clamping down so tightly on notification time, lawmakers may cause businesses to act in a way that will actually hurt their customers' best interests. As Ponemon puts it, a two-day stretch is not nearly enough to give breached organizations enough time to investigate a breach to the point where they can provide meaningful information about the breach and the risks posed to those affected by it.

"How can you be thoughtful and how can you go through the process in a way that is systematic and highly accurate in 48 hours?" Ponemon says. "In very rare instances would an organization actually be able to do that, which means they're going to be forced to report and they're probably going to cast a very wide net. A lot of people are going to get notices that don't necessarily apply to them and that will actually diminish the value of the data breach notification itself. Because if everyone gets it, it starts to lose meaning."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...