Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 1 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Obama proposes 30 day breach notification – industry views

by The Gurus
January 13, 2015
in Opinions & Analysis
Share on FacebookShare on Twitter

Yesterday saw a key presentation from US President Barack Obama who used what could become a well-used term, “If we’re going to be connected, then we need to be protected.”
As part of a series of movements around the annual State of the Union address, Obama announced plans to introduce a new Consumer Privacy Bill of Rights, better protection of children’s personal information and privacy online and  free access to credit scores.
Perhaps most notably, the President announced plans for a single, national standard to protect Americans from identity theft. He said: “Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies — and it’s costly, too, to have to comply to this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late.
“So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days. In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans — even when they do it overseas.”
This is key – states such as Massachusetts and California have been leaders in developing standards to protect consumers, but this will drive legislation across the whole country. Over here in the UK, we only have mandatory reporting for data breaches within the public sector, and plans for a new Data Protection standard for Europe have been caught in development hell for around three years.
I asked some key figures from within the information security sector, if this sort of mandate across the whole country and all businesses could be replicated, and will this be a good move for the President in his final term?
 
David Howorth, VP at Alert Logic
“The EU should take stock of the US and their breach notification laws, and learn from them. Bringing in breach notification laws into Europe is a welcome move, but as 72 hours is such a short timeframe, it has the ability to scaremonger consumers and provide inaccurate information.
“A breach ‘doesn’t just happen’ – there is a reconnaissance period where hackers try to infiltrate the network and check for weak links in the infrastructure to get a back-door in; this can happen months before the attack is launched. Then there is an attack phase, and post compromise phase.
“Many companies don’t have the skills or teams in place to be able to analyse and understand what caused a breach and fix it within 24 hours. Some technologies will also take a breach out of scope – e.g. encryption – and so whilst consumer have the right to know their data has been compromised, they need solid facts around what happened, how it happened, what has been done to rectify it and stop it happening in the future. This is just not possible in 24 hours.
“In the case of the US, 30 days notification is the maximum amount of time that a company has to do their analysis, remediation and notification – companies obviously should strive to release this information as quickly as they have a solid update to give to their customers within this timeframe.”
 
TKKeanini
600x350
 
 
 
TK Keanini, CTO of Lancope
“This is a good step in the right direction, but a baby step nonetheless. The EU data breach proposal is much more complete as they have not only more timely reporting, but also meaningful penalties that are painful enough to change the behavior of organisations.
“The US desperately needed a national policy as the state by state made no sense. As this proposal evolves we also need to call out details on encryption like they do in the EU proposal because data protection is best done via cryptography and we need to drive better habits in that realm.”
 
Andy Green, technical specialist at Varonis
“Sure, a national US breach notification law is long overdue, but the devil is in the details. Perhaps even more important than the time window is what actually triggers a notification.
“California, for example, has a far broader definition of personal information than other states. They consider the exposure of email addresses and online users names—in addition to vanilla personal identifiable information (PII) such as name, address, social security number, etc.—grounds for contacting consumers. Most other states exclude internet-era data in their laws.
“A good starting point for a national breach law is the US’s HIPAA rules for medical information. Besides having a very broad and flexible definition of PII, HIPAA has a low threshold: it just considers the actual exposure of medial data, regardless of whether it can cause direct financial harm, enough to trigger an alert. Many states, by the way, have this harm-based criteria that effectively raises the bar—unnecessarily we think –for notifying consumers.”
 
Eduardo Ustaran, partner at Hogan Lovells
“A 30 day notification is definitely more in line with industry practice and far more realistic than a hard 72-hour deadline. In reality, if there is a need to notify a data security incident, this should be done as soon as possible once it is established what to notify and to whom. However, adopting the right measures to stop the causes of the incident and mitigate any adverse effects are a greater priority than making it public.
“In the UK, we do not have a strict data breach notification regime outside the telecoms sector, which creates uncertainty about what to do, so the advantage of having a legal obligation to do this within a specific period of time is that everyone is on a level playing field.
“In the EU, we are likely to end up with a pan-European obligation that requires notification ‘without undue delay’, irrespective of the maximum deadline.”
 
Jonathan Armstrong, partner at Cordery
“This is certainly more workable. Different US states have different time limits for notifying a data breach. There’s sense in picking one time period for the whole of the US and my gut feeling is that 30 days is more or less the average across all of the States.
“There’s usually also a provision that time does not run whilst law enforcement is on the scene – again that’s sensible as if there’s a chance of finding the culprits we should be doing that. For various reasons, most organisations want as few people as possible to know about a breach before its public. It’s right that the team concentrate on stopping the harm and making sure the breach doesn’t happen again in the first few days – that’s why the 72 hour limit is likely to do more harm than good and why 30 days is a more reasonable and realistic time limit.
“If the EU were
to align with the US and introduce a 30 day time limit too that would have the benefit of certainty and with a clear rule it is likely that other countries would follow that too and more breaches would be reported. This would have the added advantage of helping get an idea of the size of the problem we all face.”
 

John Gunn, VP of Corporate Communications at VASCO Data Security
“We applaud the efforts of President Obama. It’s hard to recall any other crime that has victimised so many millions of Americans without a significant response from the government on both a state and national level. These proposals should be welcomed by all Americans.
“The success of any new regulation really depend on twos factors – the enforcement efforts and the penalties imposed. If the regulations don’t have teeth and some real bite to them, then they will be ineffective regardless of how honorable the intentions are.”
 
Steve Hultquist, chief evangelist at RedSeal
“The President’s focus on making sure that breaches are publicised creates additional pressure for all organisations to do whatever is possible to avoid breaches rather than simply respond to them. To avoid being breached, organisations have to be able to see and comprehend their extensive and complex network-interconnected systems and to know all possible attack vectors before they are exploited.
“The most visionary organisations understand that this analysis is actually possible, and deploy systems to continuously monitor their network and systems to safeguard their customers’ information and their critical assets.”

FacebookTweetLinkedIn
Tags: GovernmentObama
ShareTweetShare
Previous Post

What can be learnt from the year of the breach?

Next Post

Airport parking service Park 'N Fly confirm payment card breach

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information