Hacked companies caught in maze of notification requirements

With more businesses, governments and organisations succumbing to cyberattacks, the lack of a clear and effective reporting standard for threats and breaches has taken on new urgency. — Bloomberg

Last summer, Katherine “Kitty” Green received some disturbing news about the computer network at Florida Gulf Coast University, where she oversees a foundation for private donors. An outside data provider warned it had detected that hackers sneaked into the university’s systems and might have made off with sensitive personal information of its benefactors.

Six months later, FGCU sent out notices to 5,498 financial supporters, offering free credit-monitoring and a hot line to call for more information. One reason it took so long is that, after consulting with technical and legal experts, the university concluded that under local laws, it would have to file different notifications in 16 different states.

”Every state has different questions, which makes it much more complicated to know what to do,” Green said. “It was definitely more time consuming than we’d imagined.”

With more businesses, governments and organisations succumbing to cyberattacks, the lack of a clear and effective reporting standard for threats and breaches has taken on new urgency. Over the weekend, another massive hack of businesses came to light, this time of Microsoft Corp’s widely used email software and affecting at least 60,000 known victims globally, acording to a former senior US official with knowledge of the matter.

That announcement comes hard on the heels of the SolarWinds hack, so called because suspected Russian hackers targeted popular software from Texas-based SolarWinds Corp. As many as 18,000 of its customers received infected updates, though far fewer were targeted with secondary attacks – about 100 private-sector companies and nine US agencies, according to the White House.

Notification headache

Amid all these attacks, notifying the public has itself become a major headache. That’s because, as data breaches have proliferated, so too has the patchwork of notification requirements.

On the federal level, there are special rules for personal health records and a Securities and Exchange Commission directive that public companies inform investors of “material” breaches.

Separately, each of the 50 states has its own breach notification requirements, as does the District of Columbia, Puerto Rico and Guam.

In Indiana for instance, at least three dozen organisations have filed data breach notices so far this year to alert a single resident in the state, records from the attorney general’s office indicate. (FGCU filed a notice in Indiana because 34 of its donors live there, the records show.) A number of other states likewise require notification regardless of how many residents were affected.

Organisations reeling from cyberattacks must navigate a reporting maze that “makes the victims’ lives a lot harder”, said Jordan Rae Kelly, a veteran of the National Security Council and the FBI who heads FTI Consulting’s cybersecurity practice in the Americas. “It puts them in a situation where they’re facing disparate rules. I think the federal government should step in with guidelines about data breach disclosures.”

Creating a unified standard for when the private sector must warn of illicit cyber activity has been proposed before but fell short in the face of resistence from some Republicans and business groups, who described it as costly and burdensome and undercutting public-private collaboration. In 2015, the Obama administration proposed “simplifying and standardising the existing patchwork” of what at the time were 46 separate state laws by instituting a “single clear and timely notice requirement”.

Mandatory standards

The Cybersecurity Information Sharing Act of 2015, passed later that year, didn’t go that far. Instead, it provided legal protection to organisations that shared information about cyber threats voluntarily.

“I don’t think our traditional reporting mechanisms necessarily work,” said Senator Mark Warner, chairman of the Senate Select Committee on Intelligence, at a hearing last month where the prospect of drafting new notification standards was discussed. Brad Smith, president of Microsoft, and Kevin Mandia, chief executive officer of FireEye Inc, the cybersecurity firm that discovered the SolarWinds breach, each spoke in favour of mandatory standards for sharing suspicious network activity long before it results in public notifications.

As things now stand, organisations hit by data breaches are often required to disclose them only after determining that consumer data is at risk. That can occur months after a threat is first detected and the value of issuing warnings has diminished. The complexity of US state and federal notice requirements only adds to the lags.

It would have been easier to create a unified disclosure regime before all the states jumped in, but the problem is now urgent enough that policy makers may finally act, said Luke Dembosky, a former deputy assistant attorney general for national security, who now heads Debevoise & Plimpton’s data security practice.

“In the US, we have the Frankenstein notification regime that raises costs and inefficiencies,” he said. – Bloomberg

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 0
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!

Next In Tech News

Some users in SG confused as SMSes from legitimate firms get flagged as ‘likely scam’
Six-year-old uses dad’s phone to order nearly US$1,000 of Grubhub across US town
EV battery maker ONE raises $300 million, now valued at $1.2 billion
This billion-dollar startup wants to bring back the dodo
Denial-of-service�attacks rise, raising concerns for banks
UK sounds alarm over child exposure to violent porn
Intel slashes employee, exec pay amid PC market downturn
How Singaporean researchers measured the effects of screen time on children’s brains
Study: Screen time linked to impaired brain function, may affect learning beyond childhood
Tinder gets swiped left as Match's forecast disappoints

Others Also Read