Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


05:46 PM

Shortened Breach Disclosure Periods Could Hurt Consumers

Breach notification window in proposed law will make disclosure less beneficial to victims.

As the SAFE Data Act data breach law made its way to the House Energy and Commerce Committee after passing through the Subcommittee on Commerce, Manufacturing and Trade last week, security experts are wondering at the wisdom of a national data breach law that requires notification within 48 hours of a breach's discovery. While delayed notifications and stonewalling from some companies have been a big problem following data breaches, some security experts believe that an exaggeratedly short notification window will actually end up hurting consumers rather than helping them.

Finding that time-to-disclosure sweet spot is a delicate balance for organizations, experts say. Notify too early and you risk sending out wrong information and alarming customers who may not actually be affected by the breach. That's why many post-breach consultants recommend having a team and a plan ready to quickly conduct forensics on an incident, so that customers can be notified in a timely manner but also that the information disclosed actually helps them.

"What we recommend is doing a very thoughtful and thorough investigation to understand what happened and, more specifically, who's affected," says Tom Quilty, CEO of BD Consulting, a data breach response firm. "You have to really understand what's been exposed and whether or not there are data elements that would create higher risk for someone. Forensics investigation is a critical first step."

At the same time, letting the organization settle into analysis paralysis and taking months on end before taking the notification plunge is also a big mistake. For example, gambling establishment Bet 24 is this week feeling the effects of waiting almost two years to notify customers of a breach that had hackers pilfering their information from Bet24's database. The lengthy delay has enraged customers and taken a toll on Bet24's reputation and the case acts as a cautionary tale for businesses that wait too long to notify.

So where's the middle ground? Larry Ponemon, researcher of Ponemon Institute fame, says that a month is actually likely just about right for many consumers interested in timely notification and provides companies with enough of a buffer to assess the situation and advise customers on how to best minimize their risks.

"Our research in general shows that a systematic and thoughtful notification following a data breach is where you want to be. You want to be able to say with a high degree of accuracy that you are really communicating with people who have been injured in some way or are now victims of data loss," he says. "It's not a good idea to wait too long but you don't want to rush. You've to find that middle ground. It's usually somewhere around the 30-day period. The average person says if you can get to me within thirty days and let me know where I stand on this issue, that's probably OK."

However, if the new SAFE Data Act bill passes companies will have far less than one month to inform consumers about a breach. The bill requires "companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data" and also will mandate that breached companies inform customers within 48 hours of finding wind of an incident. Many within the security world are heralding the bill for its progressive thinking and the politicians backing it are jockeying for position as people tough on cybercrime.

"At the end of the day, I believe this legislation will greatly benefit consumers, businesses and the U.S. economy," Rep. Mary Bono Mack, author of the bill, recently told the Subcommittee on Commerce, Manufacturing and Trade. "Given the growing importance of e-commerce in nearly everything we do, we can no longer afford to sit back and do nothing. The time for action is now."

But as with many legislative mandates, this one poses some counterintuitive unintended consequences. By clamping down so tightly on notification time, lawmakers may cause businesses to act in a way that will actually hurt their customers' best interests. As Ponemon puts it, a two-day stretch is not nearly enough to give breached organizations enough time to investigate a breach to the point where they can provide meaningful information about the breach and the risks posed to those affected by it.

"How can you be thoughtful and how can you go through the process in a way that is systematic and highly accurate in 48 hours?" Ponemon says. "In very rare instances would an organization actually be able to do that, which means they're going to be forced to report and they're probably going to cast a very wide net. A lot of people are going to get notices that don't necessarily apply to them and that will actually diminish the value of the data breach notification itself. Because if everyone gets it, it starts to lose meaning."

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)
PUBLISHED: 2021-05-11
A flaw was found in the hivex library in versions before 1.3.20. It is caused due to a lack of bounds check within the hivex_open function. An attacker could input a specially crafted Windows Registry (hive) file which would cause hivex to read memory beyond its normal bounds or cause the program to...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11 and before 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to ...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero ConvertXYZToJzazbz() of MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker and processed by an application using ImageMagick. The highest threat from this...
PUBLISHED: 2021-05-11
A flaw was found in ImageMagick in versions before 7.0.11, where a division by zero in sRGBTransformImage() in the MagickCore/colorspace.c may trigger undefined behavior via a crafted image file that is submitted by an attacker processed by an application using ImageMagick. The highest threat from t...