It has been reported that President Obama has proposed a national data breach notification standard, legislation that would mandate breached companies notify affected consumers inside of 30 days. Below are comments by TK Keanini, CTO at Lancope and David Howorth, VP EMEA at Alert Logic.
TK Keanini, CTO, Lancope says: "This is a good step in the right direction but a baby step nonetheless. The EU data breach proposal is much more complete as they have not only more timely reporting, but also meaningful penalties that are painful enough to change the behaviour of organisations. The US desperately needed a national policy as the state by state made no sense. As this proposal evolves we also need to call out details on encryption like they do in the EU proposal because data protection is best done via cryptography and we need to drive better habits in that realm."
David Howorth, VP EMEA, Alert Logic advise: “The EU should take stock of the US and their breach notification laws, and learn from them. Bringing in breach notification laws into Europe is a welcome move, but as 24/72 hours is such a short timeframe, it has the ability to scaremonger consumers and provide inaccurate information. A breach ‘doesn’t just happen’ – there is a reconnaissance period where hackers try to infiltrate the network and check for weak links in the infrastructure to get a back-door in. This can happen months before the attack is launched. Then there is an attack phase, and post compromise phase. Most companies who use threat detection and continuous monitoring tools, such as network intrusion detection, web application firewalls, log management or SIEM (either as standalone for their IT teams to support or as a managed service) have, via rich security content and security rules, events collected from failed logins, changes to admin permissions etc that can help them stay on top of vulnerabilities before they are exploited. However, many companies don’t have the skills or teams in place to be able to analyse and understand what caused a breach AND fix it within 24 hours. Some technologies will also take a breach out of scope – e.g. encryption – and so whilst consumer have the right to know their data has been compromised, they need solid facts around what happened, how it happened, what has been done to rectify it / stop it happening in the future and general consumer guidance on next steps (changing logins, passwords, credit cards etc). This is just not possible in 24 hours. Target, Sony, and many other high profile breaches just wouldn’t have had enough time to conduct a thorough investigation, forensics, remediation plan and guidance to their consumers within 24 hours.
In the case of the US, 30 days notification is the maximum amount of time that a company has to do their analysis, remediation and notification – companies obviously should strive to release this information as quickly as they have a solid update to give to their customers within this time frame.”