As the SAFE Data Act data breach law made its way to the House Energy and Commerce Committee after passing through the Subcommittee on Commerce, Manufacturing and Trade last week, security experts are wondering at the wisdom of a national data breach law that requires notification within 48 hours of a breach's discovery. While delayed notifications and stonewalling from some companies have been a big problem following data breaches, some security experts believe that an exaggeratedly short notification window will actually end up hurting consumers rather than helping them.
Finding that time-to-disclosure sweet spot is a delicate balance for organizations, experts say. Notify too early and you risk sending out wrong information and alarming customers who may not actually be affected by the breach. That's why many post-breach consultants recommend having a team and a plan ready to quickly conduct forensics on an incident, so that customers can be notified in a timely manner but also that the information disclosed actually helps them.
"What we recommend is doing a very thoughtful and thorough investigation to understand what happened and, more specifically, who's affected," says Tom Quilty, CEO of BD Consulting, a data breach response firm. "You have to really understand what's been exposed and whether or not there are data elements that would create higher risk for someone. Forensics investigation is a critical first step."
At the same time, letting the organization settle into analysis paralysis and taking months on end before taking the notification plunge is also a big mistake. For example, gambling establishment Bet 24 is this week feeling the effects of waiting almost two years to notify customers of a breach that had hackers pilfering their information from Bet24's database. The lengthy delay has enraged customers and taken a toll on Bet24's reputation and the case acts as a cautionary tale for businesses that wait too long to notify.
So where's the middle ground? Larry Ponemon, researcher of Ponemon Institute fame, says that a month is actually likely just about right for many consumers interested in timely notification and provides companies with enough of a buffer to assess the situation and advise customers on how to best minimize their risks.
"Our research in general shows that a systematic and thoughtful notification following a data breach is where you want to be. You want to be able to say with a high degree of accuracy that you are really communicating with people who have been injured in some way or are now victims of data loss," he says. "It's not a good idea to wait too long but you don't want to rush. You've to find that middle ground. It's usually somewhere around the 30-day period. The average person says if you can get to me within thirty days and let me know where I stand on this issue, that's probably OK."
However, if the new SAFE Data Act bill passes companies will have far less than one month to inform consumers about a breach. The bill requires "companies and other entities that hold personal information to establish and maintain appropriate security policies to prevent unauthorized acquisition of that data" and also will mandate that breached companies inform customers within 48 hours of finding wind of an incident. Many within the security world are heralding the bill for its progressive thinking and the politicians backing it are jockeying for position as people tough on cybercrime.
"At the end of the day, I believe this legislation will greatly benefit consumers, businesses and the U.S. economy," Rep. Mary Bono Mack, author of the bill, recently told the Subcommittee on Commerce, Manufacturing and Trade. "Given the growing importance of e-commerce in nearly everything we do, we can no longer afford to sit back and do nothing. The time for action is now."
But as with many legislative mandates, this one poses some counterintuitive unintended consequences. By clamping down so tightly on notification time, lawmakers may cause businesses to act in a way that will actually hurt their customers' best interests. As Ponemon puts it, a two-day stretch is not nearly enough to give breached organizations enough time to investigate a breach to the point where they can provide meaningful information about the breach and the risks posed to those affected by it.
"How can you be thoughtful and how can you go through the process in a way that is systematic and highly accurate in 48 hours?" Ponemon says. "In very rare instances would an organization actually be able to do that, which means they're going to be forced to report and they're probably going to cast a very wide net. A lot of people are going to get notices that don't necessarily apply to them and that will actually diminish the value of the data breach notification itself. Because if everyone gets it, it starts to lose meaning."