A slight majority of digital security experts surveyed by The Cybersecurity 202 say the United States should follow in the European Union's footsteps and pass a law that requires companies to disclose data breaches quickly.
Europe’s General Data Protection Regulation requires companies with customers in the E.U. to notify regulators of a breach within 72 hours or face a severe penalty. Fifty-four percent of experts we surveyed supported a similar law in the U.S. The Network is our panel of more than 100 cybersecurity leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
Some experts said they favored federal legislation because it would help replace the patchwork of state laws that govern data breach notification in the United States. “Today, companies in the United States are required to comply with 50 different state laws when they suffer a data breach affecting personally identifiable information they control,” said Rep. Jim Langevin (D-R.I.), who has introduced legislation to create a national breach notification standard. “This is bad for business and bad for consumers, who are treated differently depending on where they live.”
“Europe now plays by one set of rules, while the United States plays by over 40,” added Jeff Moss, who founded the Def Con and Black Hat hacking conferences. “This is a costly, confusing and at times contradictory mess that only a national breach notification law can resolve.”
The issue has been in the spotlight in recent weeks. In late September, Facebook reported that hackers stole information that could have allowed them to take over of tens of millions of accounts. After learning of the breach, Facebook disclosed it within 72 hours even though the company did not have all the information about the breach. Google took a different approach. The search giant learned that a software bug exposed data on half a million accounts on its social media service Google in March but did not disclose it until this month -- and was criticized for not being transparent.
Survey respondents disagreed on how much time companies should be given to disclose their breaches. Langevin’s bill, for instance, would offer companies more leeway than GDPR. Instead of three days, they’d have 10 days to notify regulators after discovering a breach, and 30 days to notify consumers. “These timelines allow flexibility for companies to determine the scope of a breach while ensuring prompt notification so people can protect themselves,” he said.
There are competing bills on Capitol Hill, though: Legislation introduced by Sens. Amy Klobuchar (D-Minn.) and John Kennedy (R-La.) would mirror GDPR, requiring companies to disclose a breach within 72 hours of discovering it.
And other experts said 72 hours would be the right time frame. Chris Wysopal, chief technology officer at the cybersecurity firm CA Veracode, said that window would help the victims of a data breach take quick action to protect themselves from attackers who seek to misuse their information. “Attackers want to monetize the private data the companies store,” he said. “People have a right to know and protect themselves from subsequent attacks using this data, whether it is phishing or fraud. Having a standard like 72 hours will help all companies being on a level playing field and build processes to respond in a timely way.”
Harley Geiger, director of public policy at the cybersecurity firm Rapid7, agreed — provided that the countdown begins “when the company concludes a breach has occurred, not on discovery that an incident or attack occurred.”
“The company will need time to identify and investigate the incident, determine whether data was accessed or exfiltrated, and conclude based on the evidence that a breach has actually occurred,” Geiger said. “Reporting ‘a breach’ to regulators or the public prior to that process can be counterproductive for all sides, including consumers.”
The hack disclosed by Facebook late last month illustrates the complications of reporting a breach early. While Facebook took just three days to notify privacy regulators and the public that hackers may have compromised up to 50 million user accounts, the social media giant had only just begun to investigate the incident at the time of the announcement, and Facebook officials weren’t able to offer users a clear picture of the risks. In an update Friday, Facebook revealed that the hack affected about 20 million fewer users than it previously estimated — but that hackers had stolen more sensitive information than the company initially indicated, including search histories and location data.
Mark Weatherford, a former cybersecurity official in the Department of Homeland Security, supports a breach notification law but cautioned that figuring out the scope of an incident is complex and time-consuming work. “While there needs to be a trigger that starts the process, reporting too soon leads to mistakes, revisions and recriminations that might be avoided by waiting until enough information is gathered,” he said.
Jamie Winterton, director of strategy for Arizona State University’s Global Security Initiative, said a U.S. breach notification law should be coupled with measures that provide recourse to breach victims and impose consequences on companies. “Timely notification is important. But without some guidance on what regulators — and victims — should do, it feels somewhat toothless,” she said. “They should specifically address the needs of breach victims and establish some sense of corporate responsibility.”
Yet 46 percent of respondents said the United States shouldn’t impose a breach notification standard similar to the one in Europe.
“Unfortunately, GDPR does not take into account the reality of incident response and will lead to multinational companies disclosing breaches before they can provide accurate information or even be sure their attacker has been flushed from their network,” said Alex Stamos, Facebook’s former chief security officer who is now an adjunct professor at Stanford University. “Any U.S. law should balance promoting speedy disclosure with accurate disclosure.”
Jessy Irwin, head of security at Tendermint, agreed. “Being required to report a breach so early in the investigative process, when new facts emerge and information changes rapidly, will cause much more harm than it prevents on all fronts, especially if reporting has the potential to compromise an organization’s ability to effectively coordinate with law enforcement,” she said. “This kind of instant-gratification breach reporting legislation sets up smaller teams with fewer resources for major, major failure.”
There isn't a one-size-fits-all solution, some experts argued. “Timing isn't always the most important part of transparency,” said Steve Weber, founder and director of the Center for Long Term Cybersecurity at the University of California at Berkeley. “And — as most people in the business know — 72 hours isn't enough time to unravel what has really happened in even a moderately complex breach. The intention behind the law may be good, but this provision is just not sensible.”
Giving companies flexibility is reasonable, as long as they’re acting in the interest of the breach victims, said Cindy Cohn, executive director of the Electronic Frontier Foundation. “While we have been concerned about companies sitting on this bad news, there are also legitimate reasons for delay, like when either the company or law enforcement is trying to identify and catch the perpetrators or when important facts about the situation (how many people are impacted) are still unclear,” she said. “Fiduciary responsibility framing can help give some clarity here; the company must act in the interest of those whose data is impacted, not its own here.”
There could be risks to consumers, too. Some experts worried that a 72-hour timeline could wind up overwhelming users with unnecessary notifications that their information was compromised just to meet the standard. “The deadline is going to produce a lot of half-baked breach reports and lead to ‘breach notice fatigue,’ ” said Stewart Baker, former general counsel of the National Security Agency.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Keeping up with the news in President Trump’s Washington is exhausting — whether you live here, work in the nation’s capital, or are just watching from afar. That’s why tomorrow, we’re launching Power Up by Jacqueline Alemany. It's a new newsletter from The Washington Post that will land in your inbox before you reach for that first cup of coffee. It will bring you Washington, fast.
Click here to sign up.
— More reactions from The Network on whether the United States should adopt data breach notification legislation:
- “We are supportive of national data breach legislation that provides one unified standard instead of a patchwork of state laws. It is essential, however, that any federal legislation provide realistic and flexible time requirements that allow organizations to conduct investigations and address any vulnerabilities before being required to notify stakeholders. Arbitrary deadlines can be detrimental to both law enforcement investigations and consumer security.” — Michael Beckerman, president and CEO of the Internet Association
- “A strong federal data breach notification law in the United States would not only be good for users, but could reconcile different standards currently in effect in all 50 states (plus some U.S. territories). Such a law should apply to any sensitive information, and not be limited to financial accounts, passwords, and/or identifiers (like social security numbers). This will ensure that notice is provided in situations where users need it most and may finally incentivize necessary research into recovery and mitigation of breaches that result in emotional or psychological impact.” — Amie Stepanovich, U.S. policy manager and global policy counsel at Access Now
- “The question isn't whether we need a federal data breach law. We clearly do. The contentious question that keeps slowing Congressional progress here is whether that law should provide a floor that companies must satisfy while allowing states to have even stricter requirements, or whether it should preempt state laws completely. I think the former is strongly preferable--states are our ‘laboratories of democracy,’ after all, and local policymakers having the agility to test out new policy solutions is increasingly important in this fast-changing security environment. But if Congress pursues the latter and forecloses any innovations from the states in this area of policymaking, then that federal standard better be damned strong and built to last. For all our sakes.” — Kevin Bankston, director of New America’s Open Technology Institute
- “The 72 hour deadline is too inflexible. There should be a more flexible deadline, so a company can conduct proper forensics. An overly-short deadline results in numerous false positives - companies believe they must report even events that turn out, upon investigation, not to qualify as data breaches.” — Peter Swire, privacy and cybersecurity professor at Georgia Tech and senior counsel at Alston & Bird
PINGED: The Facebook hack actually affected far fewer users than the company first estimated, but it involved more sensitive information than initially reported, including search histories and location data. The hack revealed earlier this month directly affected 29 million people on the social network, not 50 million, The Washington Post's Brian Fung reported. “Through a series of interrelated bugs in Facebook’s programming, unnamed attackers stole the names and contact information of 15 million users, Facebook said. The contact information included a mix of phone numbers and email addresses. An additional 14 million users were affected more deeply, having additional details taken related to their profiles, such as their recent search history, gender, educational background, geolocation data, birth dates, and lists of people and pages they follow.”
Guy Rosen, vice president of product management at Facebook, said in a statement that the company started an investigation after noticing “an unusual spike of activity that began” on Sept. 14. The social network determined on Sept. 25 that it was an attack and fixed the vulnerability within two days, according to Rosen. “The 29 million affected users, along with 1 million whose security tokens were taken but did not appear to have their data stolen, will be receiving customized messages from Facebook identifying specifically which types of information on their profiles, if any, were involved in the breach,” Brian wrote.
PATCHED: Sens. Marco Rubio (R-Fla.) and Mark R. Warner (D-Va.) warned Canadian Prime Minister Justin Trudeau against allowing Chinese tech giant Huawei to take part in the development of Canada's 5G network. Warner, the Senate Intelligence Committee's vice chairman, and Rubio, who also sits on the panel, told Trudeau in a letter dated Oct. 11 that they have “grave concerns” about such a possibility. American officials and lawmakers have repeatedly said that Chinese tech and telecom companies such as Huawei Technologies and ZTE Corp. threaten U.S. national security.
“While Canada has strong telecommunications security safeguards in place, we have serious concerns that such safeguards are inadequate given what the United States and other allies know about Huawei,” the senators said in the letter. “Indeed, we are concerned about the impact that any decision to include Huawei in Canada’s 5G networks will have on both Canadian national security and ‘Five Eyes’ joint intelligence cooperation among the United States, United Kingdom, Australia, New Zealand, and Canada.” Rubio and Warner also suggested that the Canadian government “seek additional information from the U.S. Intelligence Community” if it has any questions on the matter.
On Friday, the Globe and Mail's Steven Chase and Robert Fife reported that “Mr. Trudeau has previously declined to say whether Canada might ban Huawei. ‘We will make decisions based on the facts, on evidence and what is in the best interests of Canadians,’ Mr. Trudeau said in August when asked about this.”
PWNED: Federal authorities sought footage from smart home surveillance cameras as they investigated a lucrative identity theft scheme in Charlotte, Forbes's Thomas Brewster reported Friday. As part of the scheme, Damonte Withers and his group managed to access a database called TLO from the company TransUnion that contains detailed information about millions of Americans, according to Forbes. Users of the TLO database include law enforcement agencies, debt collectors and private companies.
Withers had installed cameras from Nest Labs, Google's connected home division, to monitor activity inside and outside his home, and as Brewster notes, investigators sought access to the footage. “In June last year, Postal Service investigator [Randall] Berkland obtained a warrant ordering Google to hand over all the data related to those cameras,” Brewster wrote. “The company complied, shipping surveillance footage back, along with personal details of its owners. It’s the first known case in the United States in which a federal law enforcement agency has demanded information from a Nest provider, and it has obvious implications for anyone who has purchased a smart home appliance that contains a camera or a microphone.”
On Saturday, Forbes reported that Nest Labs has received requests for user data about 300 times since 2015. “That’s according to a little-documented transparency report from Nest, launched a year after the $3.2 billion Google acquisition,” Brewster wrote. “The report shows around 60 requests for data were received by Google’s unit in the first half of this year alone.”
— In an interview on “60 Minutes” with CBS’s Lesley Stahl, President Trump “acknowledged that Russia interfered in the 2016 presidential campaign, but he sought to blame other countries, as well,” The Washington Post's Felicia Sonmez reported. “‘They meddled. But I think China meddled, too,’ he said. He later ridiculed the notion that his campaign would seek help from Russia. ‘Do you really think I’d call Russia to help me with an election? Give me a break,’ Trump said. ‘They wouldn’t be able to help me at all. Call Russia. It’s so ridiculous.’”
— “The Pentagon on Friday said there has been a cyber breach of Defense Department travel records that compromised the personal information and credit card data of U.S. military and civilian personnel,” the Associated Press's Lolita C. Baldor reported. “According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.” The official also told the AP that no classified information was compromised in the breach. The Defense Department had already had a bad week on the cybersecurity front. A Government Accountability Office report released Tuesday found that “until recently, DOD did not prioritize weapon systems cybersecurity.”
— The Senate on Thursday confirmed Adam I. Klein to serve as chairman of the Privacy and Civil Liberties Oversight Board. Senators also confirmed Edward W. Felten and Jane Nitze to serve as members of the board.
— “A group claiming that electronic voting machines used in Tennessee’s largest county are not secure filed a lawsuit Friday to get the voting system replaced with paper ballots after the Nov. 6 election,” the AP's Adrian Sainz reported. “The suit filed in Memphis federal court by Shelby County Advocates for Valid Elections, or SAVE, names Tennessee Secretary of State Tre Hargett, state Coordinator of Elections Mark Goins, Shelby County Administrator of Elections Linda Phillips, and other election officials as defendants. SAVE alleges the touchscreen voting machines used by Shelby County are insecure because they do not produce a voter-verifiable paper trail.”
— More cybersecurity news from the public sector:
— “On the same day Facebook announced that it had carried out its biggest purge yet of American accounts peddling disinformation, the company quietly made another revelation: It had removed 66 accounts, pages and apps linked to Russian firms that build facial recognition software for the Russian government,” the New York Times's Jack Nicas reported. “Facebook said Thursday that it had removed any accounts associated with SocialDataHub and its sister firm, Fubutech, because the companies violated its policies by scraping data from the social network.”
— More cybersecurity news from the private sector:
- ForeScout and W2 Communications organize a discussion on election security in Washington tomorrow.
- TheBridge organizes a discussion titled “Security and Democracy” tomorrow.
- Palo Alto Networks Federal Ignite 2018 conference in Washington on Oct. 23.
Trump meets Pastor Andrew Brunson at White House:
“Ground zero” of Michael’s devastation, ride with rescue teams at Mexico Beach:
Presidential impersonations throughout “Saturday Night Live” history: