Who Reports Data Breaches?

What language does your organization use (both internally and externally) to talk about security incident response? Was that recent cyberevent an incident or a data breach or both? How do you know? Who decides on required actions — both formally and informally? Let’s explore.

by / June 23, 2018

Data breaches are becoming (almost) commonplace. It seems that major new public and private sector data breaches are announced every week — if not most days.

Most states have laws mandating the public disclosure of data breaches where personally identifiable information (PII) is at risk. You can see the details of those laws at this National Council of State Legislatures (NCSL) website.

I brought this topic up over three years ago, and explored the need for some type of “data breach Richter scale,” and other writers and media organizations like SC magazine have agreed with me. And yet, the data breach problem has only become worse over the past 36 months.

In South Africa, a recent headline proclaimed: Another day, another data breach. Here’s an excerpt:

“Like millions of South Africans, I was jolted out of my Sunday morning snooze by an SMS from Liberty, telling me that its data had been hacked. As limited information about the attack has slowly filtered out, it has only served to raise more questions than answers.

If it was “largely” emails and attachments, whose emails and what attachments — and does this mean my bank statements and medical records are in the hands of cyber-extortionists?

The same is true of several major data breaches that have hit South Africa in recent months, such as the infamous masterdeeds breach that left more than 60-million South Africans’ personal records openly accessible over the internet.

But ultimately, what has been most disturbing about the Liberty attack hasn’t been the lack of concrete information or the intense speculation about how the attackers managed what they did in the first place.

What has been most alarming for me as a consumer is the reality that, in practical terms, there is currently little recourse for South Africans when data breaches like this happen. …”

The same is true for most countries in the world. Many people feel that Equifax may even be benefiting from its horrific data breach due to the free publicity and new business they received.

Looking even wider, this Market Watch article shows even more details about the global trend which clearly demonstrate that the problem is getting worse. Quote: By this count, the number of significant breaches topped 1,300 last year, versus fewer than 200 in 2005.”

But let’s dig a little deeper into this topic to explore data breaches. Could the situation be even worse than reported?

Do All Organizations Comply with Data Breach Laws Now?

It is widely understood that no public- or private-sector leader wants to hear the words, “We have a confirmed data breach.” Almost everything we do in our enterprise security programs as leaders, or consultants, or programmers, or analysts, or ethical hackers, or trainers or company business executives or (fill in the blank with another role including end users) is intended to prevent the moment when those words are said.

So how do organizations decide what to do? When do you report? How can you adjust to different laws in different parts of the country and world?

The answers, in my experience, vary widely.

Here are a few examples:

  • International Association of Privacy Professionals (IAPP.org): Describes four categories (quoting the National Institute of Standards and Technology), including events, security incidents, privacy incidents and data breaches. The definitions of each are in that article, but here is their definition of data breaches: “If a privacy incident meets specific legal definitions, per state and/or federal breach laws, then it is considered a data breach. Data breaches require notification to the affected individuals, regulatory agencies, and sometimes credit reporting agencies or the media. Additionally, contractual obligations require notice to business clients if the incident affected clients’ employees or customers. …”
  • Security Boulevard: Language Matters When It Comes to a Data Breach — “'Data breach' has long been the catch-all term for virtually any cyberincident. The average user understands the general concept of a breach, but doesn’t always realize that there are a variety of cyberattacks that don’t result in a data breach. Ransomware, for instance, encrypts files and makes them inaccessible until the ransom is paid, but often, the files themselves aren’t opened and the data is never breached. Yet when reported, ransomware attacks are almost always equated with data breach. Something happened to the data; therefore, it was breached. ...

According to Benjamin Wright, attorney and SANS Institute instructor of Law of Data Security and Investigations, words such as “breach,” “incident” and “vulnerability” are subject to much interpretation. “An event might look like a breach at first,” he explained, “but it may look differently upon more careful examination. The quantities of evidence that might be relevant to an investigation can be enormous. Experts can disagree about which evidence (logs, alarms and so on) is relevant and which is not.”

  • Law.com : Challenges of a National 72-Hour Data Breach Notification Standard — “In some instances, state laws even contradict each other: Massachusetts, for example, prohibits describing the nature of a breach in any notice, while some other states, including North Carolina, expressly mandate that such information be included. Moreover, states have been amending their breach notification laws with a frequency that complicates the challenge of complying with them. Since the start of 2018 alone, at least 30 states have enacted or are considering bills that would amend existing laws to, among other things, expand the range of covered information and impose stricter deadlines for providing breach notification. This web of varied and changing requirements can be challenging for any entity—and particularly one in the midst of a significant cybersecurity incident—to navigate.”

What Happens When Data Breaches Are Not Reported Quickly?

This important article from Experian explains that “the U.S. Securities and Exchange Commission (SEC) recently updated guidance for public companies to adopt a more straightforward approach when disclosing information on cyber attacks, data breaches, or any material security risks or weaknesses. …”

The SEC updated their guidance in February 2018, and there are penalties and other consequences for not following these rules.

Last year, The Washington Post described why it can take so long for companies to report data breaches. Here’s an excerpt: “Sometimes, companies don't realize they've been breached, as was the case with Yahoo in 2016, when it announced a huge data breach that happened in 2013. The company said it didn't know about the intrusion until years later, thanks to a team of outside investigators.

Even when companies do find a breach on their own, there are other reasons why people may not hear about it right away.

For one, law enforcement may ask a company to keep quiet so as not to alert hackers that a breach has been discovered; several state data breach disclosure laws say companies can delay disclosure for law enforcement requests. …”

In some cases, data breaches have been covered-up. Uber reported that there was no justification for covering-up there data breach. “I think we made a misstep in not reporting to consumers, and I think we made a misstep in not reporting to law enforcement," John Flynn, Uber's chief information security officer, told a Senate panel.

Flynn confirmed reports that the company paid one of the hackers $100,000 to destroy the stolen data and to not disclose the breach publicly.

As far as the process for data breaches, network forensics are often needed to determine if a data breach occurred during a security incident. This article shows how your organization can determine if a data breach occurred and what the source of the incident was.

More Resources to Help Enterprises

Even if organizations do understand and abide by all the differing global laws regarding data breaches, what steps are used to change from (some type of) “incident” to “data breach?”

Here are some helpful materials:

Final Thoughts

Consumers also need guidance on what to do when they receive a data breach notification. This guide by the Privacy Rights Clearing House can help. It starts with a description of different terms and potential situations:

  1. What is a data breach?
    2. What should you do if your personal information has been exposed by a data breach?
    3. Breach involving your credit or debit card information
    4. Breach involving your existing financial accounts
    5. Breach involving your driver’s license or other government identification documents
    6. Breach involving your Social Security number (SSN)
    7. Breach exposing your password

I would add that consumers need to take advantage of identity theft protection when it is offered. Many people mistakenly believe that they are automatically signed up when they receive a notice in the mail, but they never call the 1-800 number or register for the service.

I am surprised by the percentage of people who don’t take the time to protect themselves in one of the few positive results available after a data breach has occurred.

In conclusion, this wider data breach topic continues to evolve, so I urge all readers to re-examine how they detect, react and respond to data breaches on a personal and organizational level.