Understand the GDPR legitimate interest vs. consent dilemma

Public Breach Disclosure Laws Up the Ante on Security – But Do They Work as Intended?

David Taylor, Managing Director Technology Consulting, Security and Privacy
Kall Loper, Director Technology Consulting, Security and Privacy

On January 3, The Massachusetts Office of Consumer Affairs and Business Regulation announced that it will report all data breaches to a publicly accessible state website. Previously, this information could only be obtained with a public record request. The new site includes summary information of the breach and is organized by year. The breached organization’s name, the magnitude of the breach and the type of information exposed (Social Security numbers, credit card numbers, etc.) are included in the summary, among other details.

The Massachusetts office’s decision follows other recent examples of states tightening their breach notification statutes and definitions of what constitutes sensitive information. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have all enacted laws requiring companies transacting business with residents of their state to report data breaches.

Any law that intends to protect consumers is, on its face, a good one. However, we feel that a direct, pain-stimulus motivation such as Massachusetts’ public breach notification reporting may work against a more effective approach to remediation by forcing short-term, technical responses that do not necessarily ensure security over the long term.

Faced with a public breach disclosure, there is a tendency for companies to seek to end the pain of public exposure as quickly as possible. But rather than encouraging breached companies to address the complex causes of the breach, public breach reporting encourages narrowly tailored investigations and short-term remediations. A quick-to-implement response such as a firewall or an intrusion detection system may remediate the specific problem found, but not the class of vulnerabilities, or any security architecture failings, employee practices or organizational data use patterns.

Often, system-wide vulnerabilities are not addressed for fear of finding more problems that require reporting, potentially causing further erosion of public confidence, brand value or market capitalization. This ostrich-like approach is surprisingly common, and lengthy, expensive lawsuits are often the result. Unfortunately, direct reporting laws, like the recent one from Massachusetts, only intensify the desire to avoid further discovery for fear of immediate penalties.

In addition to the business risks mentioned above, a technical knowledge gap often holds companies back when it comes to remediating the vulnerabilities leading to the breach. Holistic breach recovery requires a broad range of capabilities, from expertise in technical security practices and organization security practices, like identity and access management, to expertise in public relations, legal and electronic discovery processes, project management and information governance policies.

Without an appropriate formulation of goals and planning, a post-breach remediation can be an expensive exercise in seeking psychological comfort and not much more. Vendors will flock to the breached company’s executives with “solutions” that often do not address the root causes of the organization’s failure. Solution-based answers are good if the goal is to show a lot of activity and reportable benefits; however, when the cash stream ends, the solution vendors depart, leaving the company without a long-term plan toward a more secure organization.

Effective post-breach remediation is a planned set of specific activities that ultimately becomes part of the ongoing information security structure. Among these activities are:

  • Organizational change to address the security practices of end users through employee training and implementation of a company-driven plan to grow security awareness
  • Information policies that take into consideration data protection priorities and are designed to eliminate unnecessary risk and minimize unavoidable risk
  • Information governance, to make information available only to those who need it, but also keep it accessible and flexible based on the company’s needs
  • Agile and responsive security through solutions appropriate to the company’s sustainable efforts and long-term goals.

The developments in laws intended to protect consumers’ personal information from exposure point to a trend – there will be more, not less, required of companies in that regard. The sooner and more comprehensively the complex causes of the breach are addressed, the less there is a chance of a repeated event. Only through a comprehensive and thoughtful response will companies lessen the long-term damage to their public image, brand value and bottom line.

1 comment