Data breach disclosure: are there too many laws with too much emphasis on the speed to notify?

Anthony Di Bello In the past few weeks we’ve witnessed a couple of serious data breaches that makes one wonder if organizations are focused too much on speed and not enough on accuracy when it comes to breach notifications.

For instance, until Monday, officials at the Utah Department of Health believed about 25,096 people had their Social Security numbers compromised in a recent breach. That number was revised significantly upward to include an additional 255,000 on April 9, when it became clear that more records involving Social Security numbers had been accessed than previously understood. According to state officials, a total of 780,000 people were affected by the theft of sensitive data, including the 280,096 who had their Social Security numbers accessed.

In an unrelated incident, Atlanta-based processor Global Payments was breached, and that 1.5 million credit cards have been reportedly compromised. This breach also turned out not to be a textbook example of how to disclose, and sets another reminder of how important it is that breach disclosures be handled carefully.

It’s clear that lawmakers, regulators, and most people in industry want to do the right thing and disclose breach information quickly, so that people can act swiftly to protect their identities and financial information. But what good is that when these notifications come out (arguably) too quickly, and bad information is released? For instance, it was initially reported that up to 10 million credit card accounts may had of been affected, when VISA and MasterCard first began alerting banks that a major breach at a credit card processor (who turned out to be Global Payments) had occurred.

It seems this story got ahead of the company, as tech media began questioning the payment’s processor’s handing of the incident, just as this CSOonline.com story did, Amid breach fallout, Global Payments struggles with public message. Since news of the breach broke, many have questioned the company's handling of the announcement, including how many records have been compromised, as well as whether only, as Global Payments has said, Type 2 card data was stolen (which is primarily credit card number and expiration date, etc.), rather than the reports that both Type 1 and Type 2 data had been stolen. If that was the case, it would include much more information about the cardholder and even make it possible to produce counterfeit cards.

There was such discrepancy between what has been reported and what Global Payments has said that many question whether there are two separate breaches being talked about, with one breach that still remains unknown.

I want to be clear that I’m not critiquing Global Payments or the Utah Department of Health. Not at all - but rather the emphasis by everyone on the speed to announce and the mess of disclosure laws organizations must contend.

Today, perhaps, organizations are moving too quickly to disclose breaches - before all of the facts are known. In the Global Payments incident, the CEO said that they disclosed the incident “within hours.”

To obtain a firm understating of a breach, organizations need to be able to quickly identify and analyze all the data associated with the incident. For instance, a thorough evaluation of the metadata on the files of servers known, or that possibly could have been compromised will enable organizations to determine the specific files and records that had been comprised - so that the scope of an incident can be understood from the very beginning.This can only be achieved with an automated forensic response capability in place.

As we’ve seen in the Utah Department of Health breach - when organizations rush to disclose they risk announcing before all of the facts are in. Perhaps they learn several days, or a week later, that additional servers or records are affected.

To do such forensic investigations can take time - at least they need to take as long as is necessary to obtain an accurate assessment. However, I think in the rush to do the right thing, and notify the world of a breach, there is too much focus on immediacy and not enough on accuracy.

Also, part of the issue is that organizations have to contend with so many disclosure laws. Just in the United States we have nearly one separate data breach disclosure law for each state. Additionally, in the European Union, there is currently talk of a data breach notification being required within 24 hours of knowledge of a breach. While that seems like an untenable deadline, it certainly points to the fact that many lawmakers are interested in erring on the side of expediency. 

We do need sensible data breach notification laws: People need to know that certain records have been compromised. But asking companies to have to contend with a different data breach notification law wherever they sell their goods or services seems overkill.

It’s time for a sensible, unified national data breach notification law or even an international agreement. One that balances the public’s need to know with an organization’s ability to understand precisely what happened and what records were affected.

With sensible laws that give a nod to accuracy and thoroughness of the breach announcement, perhaps there’d be much less confusion and more trust when disclosure announcements are made - and that’d be a welcome change.

# # #