About that 30-Day Breach Notice Cybersecurity Legislation Proposal
In a CIO Journal post, Rachael King discusses industry reaction to cybersecurity legislation that President Obama proposed in his January 2015 State of the Union address. Obama’s proposals include provisions enabling security data sharing, modernizing laws on cybercrime and requiring companies to notify consumers of breaches to their information within a 30 day period. I posted an immediate reaction to the breach notification idea on the Linked In Security Architecture group:
- If the primary concern is that 30 days is too short of a time to complete an investigation, would it be okay to partially complete an investigation, report what you know in good faith, and then update the report if more facts come to light? I’m sure corporate lawyers would hate that idea. Some might prefer spending MORE time investigating and try – if at all possible – to find grounds NOT to report.
- If the 30 day requirement becomes law, would legal concerns push companies to report every POSSIBLE incident even before their investigation was complete? With all the reporting, would organizations’ reputation damage suffered from preliminary reports be reduced as the public became desensitized? Would that be a bad thing?
Now, I’d like to work with colleagues to analyze the advantages and disadvantages of breach notification transparency to the public, and the market.
Advantages of rapid breach notifications
- Functions as an incentive for organizations to prevent breaches, and to enhance their ability to investigate breaches
- Transparency potentially generates a wealth of data on cyberattack techniques, defense failures and incidents. The industry can use this information to better optimize risk management and protection solutions.
- As the public becomes desensitized by getting so much information on breaches, it may draw attention away from the drama and towards risk mitigation strategies
Disadvantages of rapid breach notifications
- In many cases, 30 days isn’t long enough to conclude an investigation. False positives may result and unfairly hurt an organization’s reputation. Perhaps the 30 day report needs to be seen as an “initial report” with more to follow if required.
- Effort to gather and massage data for constant breach investigations and reports may divert finite security spending from more proactive pursuits.
As usual in the political sphere, its impossible to make everyone happy. For some, 30 days is too short of a time to perform investigations, for others it is too long to wait. Others feel that private industry can figure out how to share information through the ISACs without government “help.” What do you think?
- CIOs Eye Cybersecurity Push with “High Level of Interest”
- What You Need to Know About President Obama’s New Steps on Cybersecurity
- Businesses Need Rapid Incident Detection & Response- Why Obama’s Cybersecurity Proposal Misses the Mark
- Industrial Control Systems (ICS) ISAC Vision for Security Information Sharing