Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


05:46 PM

Shortened Breach Disclosure Periods Could Hurt Consumers

Breach notification window in proposed law will make disclosure less beneficial to victims.

As the SAFE Data Act data breach law made its way to the House Energy and Commerce Committee after passing through the Subcommittee on Commerce, Manufacturing and Trade last week, security experts are wondering at the wisdom of a national data breach law that requires notification within 48 hours of a breach's discovery. While delayed notifications and stonewalling from some companies have been a big problem following data breaches, some security experts believe that an exaggeratedly short notification window will actually end up hurting consumers rather than helping them.

Finding that time-to-disclosure sweet spot is a delicate balance for organizations, experts say. Notify too early and you risk sending out wrong information and alarming customers who may not actually be affected by the breach. That's why many post-breach consultants recommend having a team and a plan ready to quickly conduct forensics on an incident, so that customers can be notified in a timely manner but also that the information disclosed actually helps them.

"What we recommend is doing a very thoughtful and thorough investigation to understand what happened and, more specifically, who's affected," says Tom Quilty, CEO of BD Consulting, a data breach response firm. "You have to really understand what's been exposed and whether or not there are data elements that would create higher risk for someone. Forensics investigation is a critical first step."

At the same time, letting the organization settle into analysis paralysis and taking months on end before taking the notification plunge is also a big mistake. For example, gambling establishment Bet 24 is this week feeling the effects of waiting almost two years to notify customers of a breach that had hackers pilfering their information from Bet24's database. The lengthy delay has enraged customers and taken a toll on Bet24's reputation and the case acts as a cautionary tale for businesses that wait too long to notify.

So where's the middle ground? Larry Ponemon, researcher of Ponemon Institute fame, says that a month is actually likely just about right for many consumers interested in timely notification and provides companies with enough of a buffer to assess the situation and advise customers on how to best minimize their risks.

"Our research in general shows that a systematic and thoughtful notification following a data breach is where you want to be. You want to be able to say with a high degree of accuracy that you are really communicating with people who have been injured in some way or are now victims of data loss," he says. "It's not a good idea to wait too long but you don't want to rush. You've to find that middle ground. It's usually somewhere around the 30-day period. The average person says if you can get to me within thirty days and let me know where I stand on this issue, that's probably OK."

However, if the new SAFE Data Act bill passes companies will have far less than one month to inform consumers about a breach. The bill requires "companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data" and also will mandate that breached companies inform customers within 48 hours of finding wind of an incident. Many within the security world are heralding the bill for its progressive thinking and the politicians backing it are jockeying for position as people tough on cybercrime.

"At the end of the day, I believe this legislation will greatly benefit consumers, businesses and the U.S. economy," Rep. Mary Bono Mack, author of the bill, recently told the Subcommittee on Commerce, Manufacturing and Trade. "Given the growing importance of e-commerce in nearly everything we do, we can no longer afford to sit back and do nothing. The time for action is now."

But as with many legislative mandates, this one poses some counterintuitive unintended consequences. By clamping down so tightly on notification time, lawmakers may cause businesses to act in a way that will actually hurt their customers' best interests. As Ponemon puts it, a two-day stretch is not nearly enough to give breached organizations enough time to investigate a breach to the point where they can provide meaningful information about the breach and the risks posed to those affected by it.

"How can you be thoughtful and how can you go through the process in a way that is systematic and highly accurate in 48 hours?" Ponemon says. "In very rare instances would an organization actually be able to do that, which means they're going to be forced to report and they're probably going to cast a very wide net. A lot of people are going to get notices that don't necessarily apply to them and that will actually diminish the value of the data breach notification itself. Because if everyone gets it, it starts to lose meaning."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.