Differing breach notification requirements across states are problematic
An obstacle to practical data breach analysis is the differing set of breach reporting requirements that span all US states and territories. “At this point, where you’ve got all 50 states and all our territories having data breach notification laws, everybody’s agreed that we need to have breach notification,” Daniel tells CSO. “There’s no reason not to have that be on a national scale.”
Tom Corcoran, head of cybersecurity for the Farmers Insurance Group, agrees. “Companies that operate nationally in the US, every time they have an issue, they have to do a 50-state analysis of what’s required,” he said at the conference. “Setting a national standard would certainly make things a lot easier for American companies, especially for companies that don’t have the resources to have a big regulatory team figure that out.”
Other experts and law enforcement specialists at RSA echoed the call for mandatory breach reporting. “It’s very challenging for a company that does business across state lines to figure out what are all the various potential breach notification obligations,” Luke Dembosky, partner, Debevoise & Plimpton LLP, said. Companies have to undertake “intensive legal analysis that involves identifying what states people are residing in, whether they have a second residence somewhere else that should be taken into consideration,” and that’s just in the US alone. The EU’s General Data Protection Regulation (GDPR) layers a whole different set of obligations on organizations, Demosky pointed out.
Better information sharing will help combat threats
Aside from better statistics and mandatory breach notification, better information sharing between the government and the private sector will help organizations combat cyber threats. Pointing to the successful role cybersecurity company FireEye played in helping the government manage the SolarWinds crisis, Tonya Ugoretz, deputy assistant director at the FBI, told RSA attendees that “it was very important that they came to the government quickly, but we can’t count on that happening in all cases.” This uncertainty highlights the need for national data breach reporting, she said. “It also shows the importance of some of the kind of proactive relationship building that the government does.”
“That was model behavior, and it was entirely voluntary, and it’s in the public good,” Adam Hickey, deputy assistant attorney general, National Security Division, at the Department of Justice, said, referring to FireEye’s quick action in informing the government of its SolarWinds malware infection. “We’re saying this anecdote demonstrates why that kind of reporting so important. So, let’s make it easier. Let’s make it mandatory. Let’s encourage them—whatever combination of carrots and sticks comes out of the policy process.”
Government needs to share, too
Daniel warns that information sharing shouldn’t be all in one direction. The government needs to share information back with the private sector. “If you really want to put a dent into the world of cybercrime, it’s going to involve the government letting some parts of the private sector in on things that they’re very uncomfortable letting the private sector in on,” he tells CSO.