Shortened Breach Disclosure Periods Could Hurt Consumers
Breach notification window in proposed law will make disclosure less beneficial to victims, say security experts.
As the SAFE Data Act data breach law made its way to the House Energy and Commerce Committee after passing through the Subcommittee on Commerce, Manufacturing, and Trade last week, security experts are wondering at the wisdom of a national data breach law that requires notification within 48 hours of a breach's discovery. While delayed notifications and stonewalling from some companies have been a big problem following data breaches, some security experts believe that an exaggeratedly short notification window will actually end up hurting consumers rather than helping them.
Finding that time-to-disclosure sweet spot is a delicate balance for organizations, experts say. Notify too early and you risk sending out wrong information and alarming customers who may not actually be affected by the breach. That's why many post-breach consultants recommend having a team and a plan ready to quickly conduct forensics on an incident, so that customers can be notified in a timely manner but also that the information disclosed actually helps them.
More Security Insights
- Hybrid Messaging Security Solutions Enhanced Security and Business Flexibility
- Skybox Security Survey: Next-Generation Firewall Management
"What we recommend is doing a very thoughtful and thorough investigation to understand what happened and, more specifically, who's affected," said Tom Quilty, CEO of BD Consulting, a data breach response firm. "You have to really understand what's been exposed and whether or not there are data elements that would create higher risk for someone. Forensics investigation is a critical first step."
At the same time, letting the organization settle into analysis paralysis and taking months on end before taking the notification plunge is also a big mistake. For example, gambling establishment Bet24 is this week feeling the effects of waiting almost two years to notify customers of a breach that had hackers pilfering their information from Bet24's database. The lengthy delay has enraged customers and taken a toll on Bet24's reputation, and the case acts as a cautionary tale for businesses that wait too long to notify.
So where's the middle ground? Larry Ponemon, researcher of Ponemon Institute fame, says that a month is actually likely just about right for many consumers interested in timely notification and provides companies with enough of a buffer to assess the situation and advise customers on how to best minimize their risks.
Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In this Dark Reading Tech Center report, we explain the risks and guide you in setting appropriate cloud security policies, processes and controls. Read our report now. (Free registration required.)