Getting Breach Notification Right

Editor’s note: Sam Curry is the chief technology and security officer at Arbor Networks

President Barack Obama proposed in January the first federal standard for data breaches, requiring that companies notify customers of privacy-related breaches within 30 days of discovery. Other standards and regulations exist (47 states at last count had some form of regulation regarding breach disclosure), but there is currently no federal standard to act as a baseline.

This isn’t a new proposal, however, as the debate on the Hill has been ongoing for nearly three years. In the run-up to the State of the Union, all things “cyber” seemed to leap to the top of the agenda in the wake of the high-profile attacks and breaches in late 2014. It should come as no surprise that talk of cyber security, online privacy and a focus on governance for good electronic corporate citizenship became part of the national dialogue.

To be clear: the right behavior is to disclose, every time.

These are subjects that matter, and the degree to which it could impact us all — corporations and citizens alike — is growing. A quick survey of the blogosphere shows that security people in general tend to back this, but the merits or strengths of a particular measure shouldn’t be confused with the processes of legislation. Security folks should be careful not to be cited out of context as the legislative machine starts up.

Regulations are always sensitive and polarizing in the corporate world. No one wants more cost and complexity for having to follow yet another regulation. Breach notification will require new processes and oversight, new understandings of risk and new processes and personnel. But the critical point here is that this is needed anyway, with or without a federal regulation. If the government doesn’t demand better disclosure policies for breaches, consumers will soon enough.

To be clear: the right behavior is to disclose, every time.

Requiring breach notification establishes a level playing field that makes it clear to companies: if you have a breach, get ready to talk about it. It also will help reduce the bayonetting of the wounded when breaches occur. Breaches are inevitable, but data theft is not. There is much that can be done after an attacker gets inside a network to prevent them from leaving with valuable information.

Today, the majority of network security spend is focused on the early stages of an attack, and the late stages of an attack. The early stage is trying to prevent them from getting into the network in the first place, protecting their perimeter with things like web application firewalls, next-gen firewalls, intrusion prevention systems, anti-viruses and more. The late stage of an attack would be once you know an attacker has gotten in, trying to aggregate all those alerts, piecing together how they got in, what they did inside, and information they left with.

What’s missing is a solid understanding of the middle, what happens after a threat gets in, but before they get out. It’s time to pay attention to security and make sure that prevention, containment and post-event ethical process and management are top priorities at the C-level and with corporate boards. I would go so far as to say that one of the first principles of any regulation should be to make clear that it is not only arrogant but also unethical to determine risk for someone else and to deprive them of the opportunity to make their own risk decisions, no matter how obvious a corporate board room might think the choices are for victims.

A breach notification law, taken in isolation of other digital and communications requirements, sets the right tone for what to do and what not to do.

In many situations, the conversation isn’t about the right thing to do for the victims (i.e. the end users or businesses whose data is lost) but is instead about the right thing to do for the breached company (e.g. how to avoid legal exposure, bad press, and other risks to the bottom line). That approach has to end.

It’s also important to establish that the specific moment a breach occurs isn’t always simple to understand. There’s a popular perspective that it’s easy to know if and when a breach has occurred, but this isn’t like looking in a bank vault and seeing that the money is missing. It isn’t always clear, and it often requires forensic work and proving negatives.

Post-breach notification and best practices can be a competitive differentiator.

That makes it important to also stress that investigations have to happen promptly, that documented and effective policies exist on calling an incident, and that investigators and executives don’t drag their heels to avoid having to call the time of breach. Once that’s done, setting the time frame to 30 days gives enough time to be sure a breach really has occurred and determine who the victims are and leaves no wiggle room for delaying the need to notify victims in a timely manner.

A well-written breach-notification law will make it clear that the risk decisions to be made at the top of an affected company are not just about the risk to those that have the privilege of holding data. The time to worry about a breached company’s risk is beforehand in building a cyber-security program and contingencies. Once an incident happens, the needs of the victims become the biggest priority.

Believe it or not, post-breach notification and best practices can be a competitive differentiator. It is inevitable that consumers will begin to pay more attention to their personal privacy and data security, and judge businesses, in part, by their post-breach disclosure behavior. In short, having to disclose is not the end of the world for businesses, and can become something of a check in their favor when done correctly.

A rule like this will make it quite clear that non-disclosure isn’t an option. It will enable us all to focus on making sure that inevitable infrastructure breaches don’t mean data breaches or, when they do, that they are containable. We can also focus in the right areas to improve best practices, work on prevention, invest in new technologies and plan to minimize damage from attacks and frustrate the attackers who commit them.

Most compelling of all, it will enable an approach that always puts the real victims in the center and guides the right behaviors from the outset. Having data isn’t a right for corporations; it’s a privilege and one that must always be treated as such, before, during and after breaches.