The president has discussed the issues of data privacy and cyber security several times recently, both during press conferences and the State of the Union address. He has put forth a handful of proposals to encourage more robust and more effective information sharing between the federal, state and local governments and organizations in private industry. While the goal of improved information sharing is a good one, there may be some flaws in these proposals.
Communications still need some work
Sharing information about cyber threats is a good idea at its core, but there are likely still too many kinks in the system for this to be effective right now. In the weeks and months after 9/11, for example, it was discovered there were a number of obstacles to vigorous information sharing between the various government agencies and local law enforcement groups. There are still inefficiencies being worked out among those interconnected systems, and the feds have also done a poor job bridging similar communication gaps with private enterprise. The recent Sony hack provides a good example, where the company refuted some of the details that were being broadcast by the White House and the FBI. Clearly the groups hadn’t done a good job working to coordinate their responses. Until these communication channels are better established, truly useful information sharing is still a ways away.
Competing goals continue to stymie cooperation
In many cybersecurity cases, law enforcement’s goals are different from what the breached company hopes to achieve. Law enforcement is there to investigate, identify and arrest the perpetrators. The business, on the other hand, must focus on maintaining operations and continuing to generate revenue. Investigators may want to turn systems off and limit data traffic, an approach that could threaten the company’s very survival if it prompts customers to decide to take their business elsewhere. This results in a huge inconsistency between the various mindsets that are expected to work together. Before this shared approach can be successful, both government and private enterprise will need to develop a much better understanding of each other’s needs and expectations.
Proposed timeframes are unrealistic
Good intentions need to balanced with practicality, and in the current environment, the suggestion that businesses provide notification of a breach within 30 days is simply not realistic. In the real world—and considering some cyber attacks are extremely sophisticated—it can easily take two weeks just to find out what happened, perhaps another week or more to determine the scope of the breach and who has been impacted, and yet another week to prepare and send out notification letters. That puts businesses at the limit of the 30-day window already. If companies are required to provide notification too early, then over-notification becomes a real problem. It also creates a situation where businesses could potentially mishandle their breach response because they’re in a rush. Neither of these scenarios is good for consumers.
Keep in mind that a handful of state breach notice laws already specifically require notification to occur within 45 days from discovery of a data breach. Most states have more flexible ‘reasonableness’ standards, which have really come to mean between 45 days (in a handful of states) and 60 days (which is required under HIPAA/HITECH). Only Florida has moved to a 30-day notification deadline, with the possibility to extend it to 45 days in rare circumstances. I can tell you from experience with Florida’s new deadline already that it is an ill-conceived timeframe based on the realities of investigating and remediating a data breach. It’s something that sounds good coming from a legislator, but doesn’t really work in the real world.
The onus is still being pushed onto businesses
In general, companies want better data privacy protections for consumers, and most of them want more to be done to prevent cyber crime. However, a good majority of them want less of that burden to be placed on them, particularly if an information-sharing plan is promoted as being a partnership between the government and private enterprise. A lot of the solutions proposed by the president are still pushing the responsibility—the expectations, the actions and the penalties—back onto businesses, making it something less than a partnership. If these groups are going to work together successfully, then both will need to bring meaningful expertise and resources to the table and both must be committed to ensuring that everyone’s needs are considered.
Eduard Goodman is chief privacy officer at CyberScout.