Pressures and Pitfalls for Early Disclosure in the Wake of the Anthem Breach
As the investigation continues into yesterday’s announcement of the #AnthemHack, Security Architects Partners will be monitoring to see what it portends for early breach notification. By disclosing early, Anthem broke the typical mold of companies waiting to complete a full investigation. Unless an early report is a complete false positive, it is thought that leak victims can only benefit from early disclosure. For that reason, President Obama recently included a mandatory 30 day mandatory breach notification window in proposed cybersecurity legislation.
I’ve posted my view of the pros and cons of the 30-day breach notification deadline, and some of us are in an ongoing discussion about it on the Linked In Security Architecture group. A few key issues have surfaced so far:
Some practical arguments against quick disclosure
A security practitioner wrote: “Thirty days is too tight, especially if the forensics work and remediation activity are not complete. I think sharing amongst trusted circles would be something that could easily happen within a 30 day window, but many of these breaches have very long tails, where the downstream impact might not be evident. Also, if a zero-day attack was involved responsible disclosure suggests that vendors be given time to fix the new vulnerability before making it public. Forcing a vendor’s hand with an arbitrary 30 day rule before a patch is widely available places even more customers at risk.”
Should reporting be limited to trusted circles?
Does sharing among trusted circles strike a good balance by maximizing the benefit of disclosure to the industry but minimizing “wasted” effort of notifying too broadly, too early and too often?
If so, it’s doable. ISACs are already an “official” public/private concept where trusted circles exist. A new notification law could require notification to an ISAC, or other “registered” trusted circle. This would bring the benefits of broader industry scrutiny and let others learn from the incident. It would do a lot to promote the critical mass needed to get the benefits I wrote about in the ICS ISAC Vision for Security Information Sharing.
Who are we trying to help?
While disclosure to trusted circles would help practitioners, it doesn’t address the breach victims directly. Helping these consumers was the driver for the President’s legislative proposal.
Perhaps the proposal should be modified to also require a public component where some impartial decision maker weighs the question on a case-by-case basis of whether early breach disclosure is important to prevent harm to individuals, or whether disclosure should be delayed.
Perhaps some “grand compromise” could be worked out. Industry – currently struggling with the details of complying with more than 30 State laws in the U.S. – might support a uniform disclosure rule that balances the various interests.
But Fred Cohen, CEO at Management Analytics argues: “I think that any security-related incident requiring action by the people at the company…should immediately be made public (say within 24 hours of first detection) with updates provided no less than at 24 hour intervals thereafter until the incident is over and all identifiable consequences resolved…These reports should be purely factual in nature of course with no spin…I very much dislike any case-by-case or judgment-based version of this because it begs for corruption and arguments. Reveal it all as soon as you know it (24 hours later).”
It’s a legal and regulatory minefield…
James McGovern, Focused on “What’s Next” not “What Is” responds: “I participated in a data loss event with a prior employer and we need to incorporate the following into our thinking:
- Too early of a breach notification without having a handle on the EXACT count of PII exposed will feed the class action lawyers in a way that isn’t helpful.
- We must early-notify regulators in regulated industries and adjust accordingly. In insurance, it takes time to notify all fifty states.
- The industry at large should devise a “maturity model” of sorts such that a company knows how well they did in terms of various roles: legal, call center, public relations, IT security, etc.”
Where “bean counters” rule!
Cohen lashed back: “The problem with delay is that millions of customers may end up harmed by the process. In terms of class action suits, you need decent PR folks making these announcements so as to not induce or exacerbate such problems. But if you know and don’t tell me and I could have mitigated the harm by knowing, then you indeed should be sued…Exact counts are irrelevant to notice. If it’s 1.345.832 vs. 1.345.841 how is that a difference I care about? And why are we always talking about PII leakage here? How about corruption of information in your bank account, loss of your data, unauthorized individuals accessing your twitter account, loss of metadata during a restoration, audit trail failures, etc. These may be just as harmful or worse than leaking my address and phone number, which although they are PII in many locations, are in the phone book.”
But McGovern notes: “Fred, a regulator will want to know exact counts as this is part of the assurance required. In the same sense CEOs get beat up by Wall Street for restating earnings, corporations get beat up by class action lawyers for not getting their numbers right the first time. Lawyers don’t care about one number versus another but rather if the numbers change as they attack process and confidence in numbers.”
And maybe that’s the problem
Cohen again brought the discussion back to “who are we trying to protect” – the CEO, corporate lawyers and regulators or the consumers that are the victims of the breach? I’ll paraphrase his classic comment:
“The problem with ‘balanced regulatory approaches’ is that they’re not about the people impacted but about covering official backsides. This is a large part of why we face endless breaches. We keep aiming at the wrong target and getting upset that we missed. Start with the consequences and who they affect and go from there.”
Recommendations
In the meantime, there’s no actual Federal legislation in the U.S. What should companies do if they experience an incident in this climate of pressure and pitfalls for early notification? Another long time colleague of mine suggested a three step program: “30/60/90:
- Within 30 days of suspected breach – notify customers that ‘a breach has occurred regarding personal data which may affect you. We are actively triaging with the FBI and our internal cybersecurity staff and will provide more information to you as soon as possible.’
- Within 60 days of breach – share preliminary findings with affected parties as well as the press so as to to show an aggressive, proactive investigation.
- Within 90 days of breach – issue as close to a ‘final report’ as possible with a full disclosure of the steps taken and ‘solutions implemented’ to build customer confidence that ‘the cause has been identified and it won’t happen again.’ Of course, there are NO guarantees of that, but this is all intended to show that customer data protection is (finally) being taken very seriously.”