Mandatory Breach Reporting?

While some countries and many US states are developing rules regarding breach notifications, there is significant disparity between them that illustrates and underlines the difficulties that would complicate any interstate or international coordination attempts.  A number of US states have introduced or are set to introduce breach notification laws, and many in the business sector have argued that breach notice should be required only when there is a significant risk of harm to individuals.  They argue that breach notice should be limited in this manner to prevent unduly alarming consumers and to avoid the dilution of breach notification for those cases in which a significant risk of harm does exist.

Hawaii legislators have recently introduced bills to amend the state’s data breach notice law.   Two of these legislative measures would eliminate the “risk of harm” trigger for breach notification. Currently, notice to Hawaii consumers is only required where illegal use of the stolen personal information has, or is reasonably likely to occur.

Classifying and then reporting breaches remains extremely difficult for companies, especially when the breach is in one state or country and the customers affected are in another.   There also remains little motivation to report breaches proactively.  I believe that all companies that gather personal or financial information have an obligation to do their best to protect it, and when that obligation is potentially compromised, the owner of that information has a right to know.   It is also common courtesy, something that is becoming lost in modern businesses, to admit that you have lost something that you have been charged to protect.

Companies still appear to cling to the belief that breaches will not be traced back to them.  Security through obscurity is not a solid strategy.  Ask the folks at Heartland, or any of the thousands of businesses that have had breaches tracked back to their doorsteps.  Coming clean about security breaches offers a business the opportunity to improve their security, and to use a negative event to provide a competitive advantage.  Lessons learned, stronger security measures, renewed reputation are all potential benefits of an incident handled correctly.

Canada and the US lack a clear picture of how bad their privacy and security problems are, motivation to introduce change other than regulatory compliance, and have no central repository for informational, statistical and trending information gathering.

A number of the 662 incidents reported in 2010 to The Identity Theft Resource Center, which tracks and monitors security breaches involving personally sensitive information, involved third-party Financial Services companies and criminal activity that exposed small numbers of people to identity theft.  Other incidents were on a larger scale, exposing thousands of records that contained names, Social Security numbers, financial account data and more.  Most incidents remain unreported, so draw your own conclusions, here.

I personally would recommend that anyone selecting a third-party to handle their security transactions and sensitive information, should invest the same amount of time and effort as they would internally, examining their security practices closely.  Have them produce more than just a few select policies and descriptive rhetoric when initially auditing their security processes.  Spend as much time as possible at one or more of their locations, observing their operations and reviewing processes and procedures in action.  Ensure that they have a sound security strategy, not just a policy for regulatory compliance, and that it is actually brought down from management to the staff level and followed by all.  Have them demonstrate how they would detect, prevent, isolate, react to and report a security incident and a breach.

Some companies will seek out shortcuts to attain a regulatory compliance check mark, using outdated, unsupported Operating Systems hidden behind proxies or other information screens, having poor governance, lacking hardening standards or not abiding by them, and allowing a “cowboy IT philosophy” where change is slippery and permeates the environment.  Lip service is often paid to Change Management, but it quickly becomes a bureaucratic exercise intended to gain another check mark on an audit sheet rather than serving as a control and metric tool for reporting network health and improving planning.  Vulnerability scanning will often be done for its audit check mark, but only the bare minimum required will be scanned, only within select areas, and using sub-standard tools and manual processes.  If someone is handling sensitive information on your behalf, they had better be doing more than scanning with free tools, and relying on CVSS scores that are not examined for actual impact, exploit development, or vulnerability age as risk factors.

The concept of “risk of harm” is not an acceptable metric for determining notification requirements, especially if the company involved defines what “risk of harm” actually means. Only a court or government appointed and qualified IT forensic specialist should have that authority. I believe that Financial Services companies should begin to report ALL security incidents, and allow examination and determination of impact and notification requirements to take place outside of the breached organization.

In my opinion, the US and Canada both need centralized, publicly available, data breach reporting websites.  These sites should allow readers to find out what happened, what information was compromised, and what allowed the breach to occur.  This would also allow law enforcement to better address this type of crime, and hold those who allowed the breach, responsible.  The breached company should be forced to take actions that would prevent a recurrence, and to make the necessary investments to ensure the confidentiality and integrity of the data that they are entrusted with.  I suggest that ALL security incidents that may have a potential impact to PII should be recorded and tracked outside of the involved organization.  Yes, that’s a broad statement, yeah won’t be too popular with businesses, and of course it would take a serious effort to compile and keep updated.  The problems we see today are not going away.  Something needs to be done.

The ITRC is attempting to provide a database of breach records, as is the OSF DataLoss DB and a few others, however there needs to be clear guidance as to what delineates a security event, what makes up a security incident, when an incident is considered a breach, as well as how and where it is reported, recorded and categorized.  I personally hope that responsible and ethically operated businesses will embrace upcoming changes to breach notification laws as productive and valuable.  As the ITRC website says, “Mandatory reporting is on the horizon.  It will be demanded either by consumer lobbying or legislation.”