Chris Wolf, an attorney and head of the Proskauer Rose (Washington, D.C.) law firm's privacy and security group, stated in a recent interview that breach notifications should be delayed until all the facts are in about what was lost and who was affected. While this might be a good legal position, I'm not sure this view is shared by victims of a breach, privacy advocates, or me if the delay reaches across weeks or months.
The topic of the discussion with Wolf was the potential for a U.S. Federal breach notification law and the impact on business of similar state regulations. The interview, which appeared in the December/January 2009 issue of CSO, attributes the following to Wolf:
Many of the state regulators who are focusing on [timely notification] are focused on the chronological amount of time between breach and notice. I'm not sure they have a sufficient amount of knowledge of what is involved when a company needs to get its arms wrapped around a breach. Before a company can notify, they need to find out who has been affected and what has been exposed. It is better to have an accurate notice than to cry wolf. Source: Federal Notification Law Unlikely, CSO, December/January 2009, p. 36.
Let's analyze this statement. First, Wolf infers that state regulators might be too intent on mandating time constraints, time constraints with no basis in the realities faced by business. This might be true. However, this is a matter of risk. The risk the regulators assess is that faced by potential victims of a breach. As the period between breach and notification increases, so does potential damage. It isn't about how long it takes a business to get its act together—and it shouldn't be. It's about responding in a way that limits the ability of criminals to leverage stolen data, resulting in financial or other injury to victims.
Wolf also asserts that organizations need time to understand the breach—who was affected and what was taken—before they release a notification. I don't disagree with this. However, making these decisions quickly, within regulatory constraints focused on risk mitigation, is the role of a well-designed and practiced incident response process.
Any organization which collects and keeps PII or ePHI is responsible for protecting it and reacting quickly to mitigate risk due to its loss. Each organization must know where PII and ePHI is stored, use reasonable and appropriate controls to prevent unauthorized access, use intrusion or extrusion monitoring to detect a breach, and document a quick breach response. I define "quick" as hours, not weeks or months.
Organizations unable or unwilling to provide the controls necessary to react immediately to protect customer, employee, or patient information should reconsider keeping it in the first place.
Wolf closes the interview with a warning:
Businesses need to be ready in advance of a breach to know what needs to be done… This is necessary to avoid the regulator scrutiny that has occurred in past cases. If I were to give one piece of advice to businesses, it's get ready in advance for a breach because it is more than likely it's going to happen to you.
With this statement, I strongly agree.
For more information about preparing for and responding to a breach, see Breach of Information at the National Conference of State Legislatures Web site.
Tell us what you think
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.