Page 32 - GCN, Feb/Mar 2018
P. 32

                                 Industry Insight
How agencies should respond to tougher breach reporting statutes
Legislators increasingly crit- icize companies for the time it takes them to announce cybersecurity attacks that affect millions of consum- ers. Most states have re- quired that alerts to effected consumers be sent “without unreasonable delay.” But recent high-profile breaches have prompted many states to mandate faster report- ing timelines and to impose heavy civil fines on entities that do not comply.
In January, Maryland joined at least five other states that have established 45 days from the time of discovery as the deadline for publicly disclosing a breach. Some states also require the affected entity to provide a year of free identity theft prevention or mitigation services to af- fected individuals. Alabama and South Dakota are the only states that do not have a breach notification law.
In addition, Congress has discussed overriding the patchwork of state require- ments by establishing a na- tional notification standard. For instance, the proposed Data Security and Breach Notification Act would
give entities that discover a breach 30 days to issue a notification and would make it a crime — punish- able by up to five years
in prison — to purposely conceal a breach. It was
introduced on the heels of Uber’s revelation that it had waited a year to announce a cyber invasion that exposed 57 million drivers’ and rid- ers’ personal information.
Breach notification bills have stalled at the national level in part because of uncertainty about whether a federal mandate would supersede state laws. States with stricter regulations would be reluctant to accept a less rigorous reporting structure. States’ recent moves to toughen reporting
if so, what — confiden-
tial information has been compromised. A thorough investigation might take weeks or months. Further- more, releasing information prematurely can damage
an agency’s credibility and erode citizens’ trust if the information later turns out to be erroneous or inac- curate.
Therefore, agencies must strike a balance between protecting citizens and taking the time required to conduct a meticulous fo-
knows where all the data
is stored so it can quickly determine which data may have been compromised if a breach occurs.
3. Develop plans for an- nouncing a breach. Agen- cies should establish and test an incident response plan that permits officials to disseminate information by the reporting deadline. The plan should identify a certified forensic service firm that can be called in immediately to conduct a comprehensive investiga-
Agencies must strike a balance between protecting citizens and taking the time required to conduct a meticulous forensic investigation.
statutes might represent their attempts to preempt a national law by demonstrat- ing that they are already do- ing what needs to be done to protect citizens.
Elected officials under- standably want affected individuals to learn quickly about a breach so they can take protective measures. But premature reporting carries risks for companies and government agencies.
Investigating a security breach requires finding out how the attack happened, identifying its severity, containing the threat and determining whether — and
rensic investigation. Before a breach occurs, agencies must:
1. Understand the reporting requirements. Many states’ breach-related laws have changed in the past few years. Agencies that do business with citi- zens or businesses outside their home state must also report a breach according to the dictates of the other states.
2. Review the data they’re storing. Agencies should discontinue storing any data that is not neces- sary for conducting business and make sure the IT team
tion and should also outline a structure for managing the public announcement.
Adhering to reporting requirements might mean agencies that experience a breach must go public before they have fully determined the extent of the incident. In that case, agencies should link initial assertions to
the status of the forensic investigation and be upfront about progress with the fact- finding process while com- municating only information verified as accurate. •
— Jayne Friedland Holland is chief security officer at NIC Inc.

   30   31   32   33   34