I noticed something that I think is troublesome. The large corporations that had serious and well-publicized breaches recently — Sony, Citi, for example — took weeks before alerting customers. A bill before Congress right now would require companies to notify law enforcement within 48 hours of discovering the breach, but they wouldn’t have to notify customers until after assessments were done. (There is a push to have the customer notification time limit tightened.)
I spoke with Mark Hatton, president and CEO of Core Security, about companies that wait weeks before telling consumers their personal data may have been compromised. Why does it take so long? Is it to the company’s advantage to wait? Hatton told me:
Advantage is relative here. The time it takes for any company to respond to an attack can vary depending on industry and the nature of the attack. If the lock on your front door is broken, you can replace it rather quickly. But it gets complicated when you’re looking at an attack against an IT infrastructure as remediation is more difficult than replacing a deadbolt. A company needs to first understand the nature of the attack, sort out the remediation process, and how long that will take. For example, they may want to layer additional technologies like security test and measurement to prevent the problem from happening again. Ultimately they’ll review their risk profiles and how to enhance their security intelligence in response to a problem.
The disadvantages for waiting, however, could result in a decrease in consumer trust and long-term damage to the company brand. But Hatton pointed out that companies usually have a reason for taking their time to get the word out, possibly to fix the problem before the risk of more compromise.
When I asked Hatton about the consumer’s right to know, he said this:
Many states have breach notification laws that dictate the timing and notification processes to be followed. Customers certainly have a right to know when their personal information may be at risk. Core’s point-of-view on this question is a bit different, we believe that companies should be proactively testing their security defenses to determine whether customer data is breachable before a hacker mounts an attack. By identifying their own weaknesses, companies can fix them before an attack occurs. Such an approach will avoid the need to notify customers by avoiding the breach in the first place.
I suppose consumers are going to be angry about a breach, whether they are told the day after it happened or a month after it happened. Perhaps the bottom line to the issue is what FTC Commissioner Edith Ramirez told Congress, according to this msnbc.com article:
[I]f unneeded data was retained, there was just that much more to steal once a breach occurred. “If it’s no longer needed, they should dispose of that information safely,” she told the House subcommittee on commerce, manufacturing and trade.