The Hardest Part of a Major Security Breach? Disclosing It
The Equifax breach last month was made worse by the fact that it took the company more than a month to disclose it to the public. Your organization, if it ever runs into an issue like this, will need to be faster—in part because of law changes globally.
Equifax’s disclosure last month that it had been hit by a massive security breach raised a lot of questions in the IT space about proper disclosure decorum.
Short version: Equifax knew about the breach for more than a month before it told the public on September 7, which potentially hurt the millions of people whose sensitive information was managed by the credit-reporting agency.
At a hearing before the House Energy and Commerce Committee last week, former Equifax CEO Richard Smith revealed that he didn’t personally know the full scope of the breach until August 17, nearly three weeks after the company was first made aware of the existence of a problem. It took another week for the company’s full board to be made aware, and roughly two weeks after that for the public to know.
“The picture was very fluid,” Smith said, according to Wired. “We were learning new pieces of information each and every day. As soon as we thought we had information that was of value to the board I reached out.”
Members of Congress seemed shocked by both the breach and its slow handling. Rep. Anna Eshoo (D-CA) noted that it even seemed to offer a rare moment of unity among legislators.
“Mr. Smith, it seems to me that you’ve accomplished something that no one else has been able to accomplish,” Eshoo said, according to The Hill. “And that is that you have brought Republicans and Democrats together in outrage and distress and frustration over what’s happened because this is huge. This is almost half of the country and their information.”
The disclosure problem has long been a issue with corporate data breaches—in no small part because there is little consistency with existing rules over what’s considered good form for disclosures. In the U.S., these laws mostly have existed at the state level.
This was a point of discussion when Smith met with the House committee last week, and it’s something that the European Union is already tackling with its forthcoming implementation of the General Data Protection Regulation (GDPR), which, among other things, adds in rules for disclosing data breaches in a timely fashion, specifically for this very reason.
GDPR, which takes effect in May 2018, will require disclosure of the breach to government officials within 72 hours. That means that if your association has any European interests, you can’t be lackadaisical about letting your members know that something has gone awry.
So we may see more legal and regulatory action on this issue, especially outside of the U.S.—and perhaps in it, if Congress can use this hearing as a kick in the pants. But why wait for new laws to force your hand? If you have a proactive approach to cybersecurity in the first place—one that accepts that there are limits to what security mechanisms can do on their own—you can get out ahead of this issue if it ever, in fact, does become an issue. You need to have a response ready if something goes awry, and it needs to be both thoughtful and fast.
Your organization, by its very nature, deals with sensitive information, and while barriers can be put up to protect end users, it’s ultimately the reaction that everyone remembers.
“Defensive and reactive tools like firewalls and other intrusion-protection technology can give you a false sense of security,” DelCor President Dave Coriale wrote in an Equifax postmortem last month. “You need to build a human firewall. Take a proactive stance by instilling a sense of security awareness and personal responsibility in your staff.”
Last week, the discussion platform Disqus, which Associations Now uses, set perhaps a land-speed record for disclosure when it found out that 17.5 million users had been affected by a breach of its database from 2012. It only learned about the existence of the breach last week, however. Disqus says that after learning about the breach on October 5, it started asking users to reset their passwords midway through the next day, and within 24 hours of the breach, it had posted a blog post explaining what happened. Prominent security researcher Troy Hunt, who uncovered the breach and disclosed it to Disqus, was quick to give a thumbs-up to the company:
Not everyone was impressed, however; The Register, for one, dinged Disqus for announcing it just before the start of a weekend, when the news was likely to be buried. (Personally, I’d like to think that the company was just acting quickly and didn’t consider the time of disclosure.)
So what Disqus did wasn’t perfect. But it was way better than what much larger companies, like Equifax and Yahoo, have done over the years when faced with much larger data breaches.
I’d like to hope that, if your association is ever in this unfortunate position, it’s ready to jump into action.
(weerapatkiatdumrong/iStock/Getty Images Plus)