What language does your organization use (both internally and externally) to talk about security incident response? Was that recent cyberevent an incident or a data breach or both? How do you know? Who decides on required actions — both formally and informally? Let’s explore.
Data breaches are becoming (almost) commonplace. It seems that major new public and private sector data breaches are announced every week — if not most days.
Most states have laws mandating the public disclosure of data breaches where personally identifiable information (PII) is at risk. You can see the details of those laws at this National Council of State Legislatures (NCSL) website.
I brought this topic up over three years ago, and explored the need for some type of “data breach Richter scale,” and other writers and media organizations like SC magazine have agreed with me. And yet, the data breach problem has only become worse over the past 36 months.
In South Africa, a recent headline proclaimed: Another day, another data breach. Here’s an excerpt:
“Like millions of South Africans, I was jolted out of my Sunday morning snooze by an SMS from Liberty, telling me that its data had been hacked. As limited information about the attack has slowly filtered out, it has only served to raise more questions than answers.
If it was “largely” emails and attachments, whose emails and what attachments — and does this mean my bank statements and medical records are in the hands of cyber-extortionists?
The same is true of several major data breaches that have hit South Africa in recent months, such as the infamous masterdeeds breach that left more than 60-million South Africans’ personal records openly accessible over the internet.
But ultimately, what has been most disturbing about the Liberty attack hasn’t been the lack of concrete information or the intense speculation about how the attackers managed what they did in the first place.
What has been most alarming for me as a consumer is the reality that, in practical terms, there is currently little recourse for South Africans when data breaches like this happen. …”
The same is true for most countries in the world. Many people feel that Equifax may even be benefiting from its horrific data breach — due to the free publicity and new business they received.
Looking even wider, this Market Watch article shows even more details about the global trend which clearly demonstrate that the problem is getting worse. Quote: By this count, the number of significant breaches topped 1,300 last year, versus fewer than 200 in 2005.”
But let’s dig a little deeper into this topic to explore data breaches. Could the situation be even worse than reported?
Do All Organizations Comply with Data Breach Laws Now?
It is widely understood that no public- or private-sector leader wants to hear the words, “We have a confirmed data breach.” Almost everything we do in our enterprise security programs as leaders, or consultants, or programmers, or analysts, or ethical hackers, or trainers or company business executives or (fill in the blank with another role including end users) is intended to prevent the moment when those words are said.
So how do organizations decide what to do? When do you report? How can you adjust to different laws in different parts of the country and world?
The answers, in my experience, vary widely.
Here are a few examples:
According to Benjamin Wright, attorney and SANS Institute instructor of Law of Data Security and Investigations, words such as “breach,” “incident” and “vulnerability” are subject to much interpretation. “An event might look like a breach at first,” he explained, “but it may look differently upon more careful examination. The quantities of evidence that might be relevant to an investigation can be enormous. Experts can disagree about which evidence (logs, alarms and so on) is relevant and which is not.”
What Happens When Data Breaches Are Not Reported Quickly?
This important article from Experian explains that “the U.S. Securities and Exchange Commission (SEC) recently updated guidance for public companies to adopt a more straightforward approach when disclosing information on cyber attacks, data breaches, or any material security risks or weaknesses. …”
The SEC updated their guidance in February 2018, and there are penalties and other consequences for not following these rules.
Last year, The Washington Post described why it can take so long for companies to report data breaches. Here’s an excerpt: “Sometimes, companies don't realize they've been breached, as was the case with Yahoo in 2016, when it announced a huge data breach that happened in 2013. The company said it didn't know about the intrusion until years later, thanks to a team of outside investigators.
Even when companies do find a breach on their own, there are other reasons why people may not hear about it right away.
For one, law enforcement may ask a company to keep quiet so as not to alert hackers that a breach has been discovered; several state data breach disclosure laws say companies can delay disclosure for law enforcement requests. …”
In some cases, data breaches have been covered-up. Uber reported that there was no justification for covering-up there data breach. “I think we made a misstep in not reporting to consumers, and I think we made a misstep in not reporting to law enforcement," John Flynn, Uber's chief information security officer, told a Senate panel.
Flynn confirmed reports that the company paid one of the hackers $100,000 to destroy the stolen data and to not disclose the breach publicly.
As far as the process for data breaches, network forensics are often needed to determine if a data breach occurred during a security incident. This article shows how your organization can determine if a data breach occurred and what the source of the incident was.
More Resources to Help Enterprises
Even if organizations do understand and abide by all the differing global laws regarding data breaches, what steps are used to change from (some type of) “incident” to “data breach?”
Here are some helpful materials:
Consumers also need guidance on what to do when they receive a data breach notification. This guide by the Privacy Rights Clearing House can help. It starts with a description of different terms and potential situations:
I would add that consumers need to take advantage of identity theft protection when it is offered. Many people mistakenly believe that they are automatically signed up when they receive a notice in the mail, but they never call the 1-800 number or register for the service.
I am surprised by the percentage of people who don’t take the time to protect themselves in one of the few positive results available after a data breach has occurred.
In conclusion, this wider data breach topic continues to evolve, so I urge all readers to re-examine how they detect, react and respond to data breaches on a personal and organizational level.