This week, in the lead up to his State of the Union address, President Obama is talking about cybersecurity — how to ensure our safety in the digital world.
One key proposal sounds pretty straightforward: Companies should tell us — within 30 days — if our data has been hacked. But according to cybersecurity experts, that nice clean number doesn’t address basic issues.
A Firm, Clear Deadline
If your data is stolen, it would be nice to know.
“You can protect yourself, or at least know that you’re at risk when you know that you’ve been breached,” says Davi Ottenheimer, an analyst with the data storage company EMC.
Ottenheimer, who has been auditing retail security for more than a decade, says that if a company doesn’t give explicit warning, “you might not pay attention at all.”
You can’t sign up for credit monitoring, you won’t know to read every line of your bank statement, looking for signs of identity theft — if the company that’s been attacked doesn’t tell you to watch out.
The history of cyberattacks is littered with examples of companies that didn’t want to fess up — like when Wal-Mart waited until 2009 to admit it was hacked in 2005. “They need to be told when to notify people about being harmed,” Ottenheimer says.
The U.S. already has a federal rule on health care breaches. Ottenheimer says this 30-day proposal, for consumer data, gives the company “reasonable enough” time to investigate. And it helps clean up the messiness created by all those state laws that say different things.
“It’s going to have a huge impact because we’ve been working on the state level so far and every state has had its own interpretation,” he says. “The feds may be more reasonable.”
The Wrong Starting Point
A senior administration official describes the proposal as a “major push.” And the National Retail Federation is “very pleased” to have one federal rule to replace the current patchwork, said Mallory Duncan, the group’s general counsel.
But John Dickson, a security expert at Denim Group, says retailers may just be breathing a sigh of relief because Obama isn’t demanding much. “There’s nothing magical about the 30-day notification,” Dickson says. “That is not an understood industry period. It’s largely arbitrary.”
The White House proposal is thin on key details, like: Do the 30 days begin when a company suspects it’s been hacked, or when it confirms the fact? And who exactly has to tell consumers — the brand we know, like Target; or the subcontractor behind the scenes that may have been the weak link in the digital chain?
Also, if the data is super sensitive, Dickson says 30 days may be too long. “Is it just [your] name and address? Or is it name, address and Social Security number?”
Last year the White House announced voluntary standards for companies to follow to protect consumers’ data. Dickson says some of those standards should be mandatory — like the idea that companies storing our data should regularly scan their networks for malicious code and get rid of it.
“These are the kinds of things that resilient companies and secure companies do. You regularly scan for vulnerabilities. You regularly try to identify holes before the bad guys do,” he says.
Focus On Corporate Governance
Tom Brandl with DocuSign offers another idea: Make the big, publicly traded companies sign off on a cybersecurity audit every year — just like the Sarbanes-Oxley Act requires with financial information. That way, the top brass can’t just say after a hack, “Whoops! I didn’t know.”
“Then there’s some skin in the game too from a CEO perspective and a board level perspective,” Brandl says. “There’s an explicit acceptance and sign-off that, ‘Yes, I’m responsible for these things.’ ”
So far, the CEO of Target lost his job over a data breach — but that’s rare. Brandl says the White House could up the stakes for corporate governance in our digital times.