Some infosec pros think one of the reasons a number of organizations aren’t putting enough resources into cyber security is the lack of required publicity about data breaches. The more light shone on a breach, goes the reasoning, the more organizations will realize how embarrassing security incidents are and the more likely they’ll give security more attention.
A proposal to rank the quality of public admissions of security incidents raised over the weekend would be embraced by such thinkers. The idea comes from Jeff Williams, co-founder and CTO of Contrast Security and was outlined by a columnist at Forbes.com who interviewed Williams at last week’s Black Hat security conference.
Too often, Williams complains, public statements include a minimum of information. Admittedly, that may be understandable as the organization has to wrestle with a serious of conflicting goals, including letting customers/partners know as soon as possible of a potential security problem (to comply with regulatory obligations, struggling to understand the depth of a just-discovered problem, not giving away too much to potential attackers and not opening the doors to a negligence lawsuit.
But, Williams argues, “applying an independent score to a data breach could be an effective way to accelerate the path to remediation and restoring trust.”
Things that could be ranked include
- Tone – Is the announcement apologetic and not blaming? Does it acknowledge that there should have been better defenses and that the breach should have been detected and been able to stop the attack?
- Timeline – When was the initial break-in? When was it discovered? How long to disclose?
- Scope – What information was stolen and what control was lost?
- Size – How many people were affected? How many servers?
- Root Cause – What was the underlying vulnerability that was exploited? What defenses are in place and how did the attack bypass the defenses?
- Discovery – Who discovered it? Victims? Security firm? Why didn’t you know earlier?
- Remedy – Are you really making victims whole? For how long? [Personal Health Information – PHI is literally lifelong]
- Future – What are going to do to prevent future/similar attacks?
- Blame – Did you state or imply that the attack was “sophisticated” or “advanced?” Did you provide any evidence of that?
- Oddities – Were there any oddities to the timeline not making sense – or details that stretch credulity.
There are two issues here: One is how much information is owed to the public immediately after a security breach involving personally identifiable information is discovered, and the second is how detailed should a public post-incident report be — or is the public entitled to such a report?
There is scarcity of publicly-available information on Canadian data breaches. We do know that according to a PricewaterhouseCoopers study released earlier this year, one in four Canadian organizations (26 per cent) said they hadn’t carried out a single fraud risk assessment in the previous 24 months. Is that because they don’t see the need? Are too small? Aren’t paying enough attention to cyber security.
Canadian data breach metrics will hopefully be at least partially improved when the federal government proclaims its data breach reporting regulations under the Digital Privacy Act (which amends PIPEDA), planned for next year with full implementation required for 2018.
It’s unlikely organizations affected by the legislation will be forced to make their reports public, but since those reports go to the federal privacy commissioner that office may release annual numbers that should give better insight into how serious breaches are here.
Note that in June the privacy commissioner’s office submitted a brief to Innovation Canada on what it thinks organizations should have to report to the commissioner. This includes
- Estimated number of individuals affected by the breach;
- Description of the personal information involved in the breach;
- Date of the breach, if known, or alternatively estimated date or date range within which the breach is believed to have occurred;
- A list of other organizations involved in the breach, including affiliates or third party processors;
- An assessment of the risk of harm to individuals resulting from the breach;
- A description of any steps planned or already taken to notify affected individuals, including:
- date of notification or timing of planned notification;
- whether notification has been or will be undertaken directly or indirectly and, when applicable, rationale for indirect notification;
- a copy of the notification text or script;
- A list or description of third party organizations that were notified of the breach, pursuant to s. 10.2(1) of PIPEDA, as well as Privacy Enforcement Authorities from other jurisdictions;
- A description of mitigation measures that have been or will be undertaken to contain the breach and reduce or control the risk of harm to affected individuals,
- A description of the organization’s relevant security safeguards, taking into consideration any improvements made or committed to, to protect against the risk of a similar breach reoccurring in the future.
How much information and when should organizations be forced to public divulge when a breach involves personal information? Let us know in the comments section below.