We have been victimized by a hacktivist 416 days ago!
The US Congress is dangling its toes in the water towards requiring companies to admit they have been hacked. The proposal regarding data breaches is a component of a larger draft bill being circulated in the House Judiciary Committee. In addition to raising the maximum penalty on cyber crime, it is suggesting that a business must disclose a security breach within 14 days from when it was discovered. In the case of a “major” breach, that window shrinks to a mere 72 hours, and involves the FBI or the Secret Service.
HP just released a report, HP 2012 Cyber Risk Report which stated that it takes 416 Days to detect a breach. Hmmm…somewhere the math doesn’t quite make sense. If 416 days is typical to identify a data breach, I guess reporting it within 14 days after the realization is not so bad.
Cyber crime, data breaches, and just plain old hacktivists are on the rise. The basic problem is there is no single law addressing data breach notification. For many industries they are regulated differently depending on the state they do business in. A similar situation exists in Europe, where E.U. officials have introduced their own draft regulation on data breaches, saying the mostly voluntary system it has now is “too fragmented” and leaves the region more vulnerable. Opponents have argued the proposal is burdensome because of its requirement that notifications take place within 24 hours of a data breach. If the European plan gets approved, it could boost the chances that the US Congress will pass something like it, although this isn’t the first time Washington has tried dealing with data-breach notifications and has done nothing.
I do get concerned that my data has been breached. It has happened to me several times now and I wasn’t notified for several months which I think is totally unacceptable. But on the other side of the coin, the state of Massachusetts has just ruled that zip codes are Personally Identifiable Information (PII). The whole topic doesn’t appear to be as straightforward as one might think.
I do have a problem that a company doesn’t know that a data breach occurred in 416 days? Really?
Where do you stand?