Open & Honest - Should Breach Disclosure Be Mandatory?

A few months ago I shared a flight with a very pleasant lady from a European regulatory body.  After shoulder surfing her papers and seeing we were both interested in information security (ironic paradox acknowledged!) we had a long chat about how enterprises could stand a chance against the hacktivist and criminal hordes so intent on stealing their data.

My flight-buddy felt that the future lay in open and honest sharing between organisations – i.e. when one is hacked they would immediately share details of both the breach and the method with their peers and wider industry; this would allow the group to look for similar exploits and prepare to deflect similar attacks. Being somewhat cynical, and having worked in industry, I felt that such a concept was idealised and that organisations would refuse to share such information for fear of reputational or brand damage – she acknowledged that it was proving tougher than she had expected to get her organisations to  join in with this voluntary disclosure!

Across the US and Europe we are seeing a move toward ‘mandatory’breach disclosure; however they have seemingly disparate intentions.  US requirements focus on breaches that may impact an organisations financial condition or integrity, whilst EU breach notification is very focussed on cases where there may have been an exposure of personal data.  Neither of these seem to be pushing us toward this nirvana of ‘collaborative protection’.

In the UK, I’m aware that the certain organizations, within specific sectors, will share information within their small closed communities, unfortunately this is not widespread and certainly does not reflect the concept of ‘open and honest’ as my flight-buddy would have envisaged.

So what is the answer here? As a security professional, it’s tough to acknowledge in a public forum (including this one!) that you may even have something to share with colleagues at other firms, lest the Press get hold of the information and twist it into a fictitious “XXXX Corp hacked!” story. If this European regulator saw her hopes through to reality, and breach notification became compulsory, I wonder if it would be like the prohibition - the drinking still happened just no-one talked about it anymore…

Comments

Mandatory Breach Notification

Andrew:

As you may know, recently in US healthcare, new HIPAA regulations has required mandatory reporting of major breaches to the public. This results obviously in de facto sharing of breach information between healthcare providers, because everyone in the industry is checking the HIPAA breach web site.

This breach reporting often gives useful information on how the breach occured, such as if it is due to a lack of encryption, weaknesses in the security of company web sites, etc.

So time will tell if this mandatory sharing in US healthcare will strengthen security across the industry.

Do you have doubts?

Frank

At our InfraGard Board

At our InfraGard Board meeting this month, our FBI coordinator said the word has gone out from FBI HQ to all the InfraGard coordinators to begin establishing communication and information sharing groups for the 13 critical infrastructure sectors. In the past, the Twin Cities (Minneapolis & Saint Paul) have had various groups that shared such information, but it was pretty much Fortune 1000 organizations and up. The idea here is to provide a forum for anyone to share and learn. Obviously it's in the eraly stages, but there is work being done, at least here in Minnesota to improve information sharing.