Yesterday saw a key presentation from US President Barack Obama who used what could become a well-used term, “If we’re going to be connected, then we need to be protected.”
As part of a series of movements around the annual State of the Union address, Obama announced plans to introduce a new Consumer Privacy Bill of Rights, better protection of children’s personal information and privacy online and free access to credit scores.
Perhaps most notably, the President announced plans for a single, national standard to protect Americans from identity theft. He said: “Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies — and it’s costly, too, to have to comply to this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late.
“So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans — even when they do it overseas.”
This is key – states such as Massachusetts and California have been leaders in developing standards to protect consumers, but this will drive legislation across the whole country. Over here in the UK, we only have mandatory reporting for data breaches within the public sector, and plans for a new Data Protection standard for Europe have been caught in development hell for around three years.
I asked some key figures from within the information security sector, if this sort of mandate across the whole country and all businesses could be replicated, and will this be a good move for the President in his final term?
David Howorth, VP at Alert Logic
“The EU should take stock of the US and their breach notification laws, and learn from them. Bringing in breach notification laws into Europe is a welcome move, but as 72 hours is such a short timeframe, it has the ability to scaremonger consumers and provide inaccurate information.
“A breach ‘doesn’t just happen’ – there is a reconnaissance period where hackers try to infiltrate the network and check for weak links in the infrastructure to get a back-door in; this can happen months before the attack is launched. Then there is an attack phase, and post compromise phase.
“Many companies don’t have the skills or teams in place to be able to analyse and understand what caused a breach and fix it within 24 hours. Some technologies will also take a breach out of scope – e.g. encryption – and so whilst consumer have the right to know their data has been compromised, they need solid facts around what happened, how it happened, what has been done to rectify it and stop it happening in the future. This is just not possible in 24 hours.
“In the case of the US, 30 days notification is the maximum amount of time that a company has to do their analysis, remediation and notification – companies obviously should strive to release this information as quickly as they have a solid update to give to their customers within this timeframe.”
TK Keanini, CTO of Lancope
“This is a good step in the right direction, but a baby step nonetheless. The EU data breach proposal is much more complete as they have not only more timely reporting, but also meaningful penalties that are painful enough to change the behavior of organisations.
“The US desperately needed a national policy as the state by state made no sense. As this proposal evolves we also need to call out details on encryption like they do in the EU proposal because data protection is best done via cryptography and we need to drive better habits in that realm.”
Andy Green, technical specialist at Varonis
“Sure, a national US breach notification law is long overdue, but the devil is in the details. Perhaps even more important than the time window is what actually triggers a notification.
“California, for example, has a far broader definition of personal information than other states. They consider the exposure of email addresses and online users names—in addition to vanilla personal identifiable information (PII) such as name, address, social security number, etc.—grounds for contacting consumers. Most other states exclude internet-era data in their laws.
“A good starting point for a national breach law is the US’s HIPAA rules for medical information. Besides having a very broad and flexible definition of PII, HIPAA has a low threshold: it just considers the actual exposure of medial data, regardless of whether it can cause direct financial harm, enough to trigger an alert. Many states, by the way, have this harm-based criteria that effectively raises the bar—unnecessarily we think –for notifying consumers.”
Eduardo Ustaran, partner at Hogan Lovells
“A 30 day notification is definitely more in line with industry practice and far more realistic than a hard 72-hour deadline. In reality, if there is a need to notify a data security incident, this should be done as soon as possible once it is established what to notify and to whom. However, adopting the right measures to stop the causes of the incident and mitigate any adverse effects are a greater priority than making it public.
“In the UK, we do not have a strict data breach notification regime outside the telecoms sector, which creates uncertainty about what to do, so the advantage of having a legal obligation to do this within a specific period of time is that everyone is on a level playing field.
“In the EU, we are likely to end up with a pan-European obligation that requires notification ‘without undue delay’, irrespective of the maximum deadline.”
Jonathan Armstrong, partner at Cordery
“This is certainly more workable. Different US states have different time limits for notifying a data breach. There’s sense in picking one time period for the whole of the US and my gut feeling is that 30 days is more or less the average across all of the States.
“There’s usually also a provision that time does not run whilst law enforcement is on the scene – again that’s sensible as if there’s a chance of finding the culprits we should be doing that. For various reasons, most organisations want as few people as possible to know about a breach before its public. It’s right that the team concentrate on stopping the harm and making sure the breach doesn’t happen again in the first few days – that’s why the 72 hour limit is likely to do more harm than good and why 30 days is a more reasonable and realistic time limit.
“If the EU were
to align with the US and introduce a 30 day time limit too that would have the benefit of certainty and with a clear rule it is likely that other countries would follow that too and more breaches would be reported. This would have the added advantage of helping get an idea of the size of the problem we all face.”
John Gunn, VP of Corporate Communications at VASCO Data Security
“We applaud the efforts of President Obama. It’s hard to recall any other crime that has victimised so many millions of Americans without a significant response from the government on both a state and national level. These proposals should be welcomed by all Americans.
“The success of any new regulation really depend on twos factors – the enforcement efforts and the penalties imposed. If the regulations don’t have teeth and some real bite to them, then they will be ineffective regardless of how honorable the intentions are.”
Steve Hultquist, chief evangelist at RedSeal
“The President’s focus on making sure that breaches are publicised creates additional pressure for all organisations to do whatever is possible to avoid breaches rather than simply respond to them. To avoid being breached, organisations have to be able to see and comprehend their extensive and complex network-interconnected systems and to know all possible attack vectors before they are exploited.
“The most visionary organisations understand that this analysis is actually possible, and deploy systems to continuously monitor their network and systems to safeguard their customers’ information and their critical assets.”