Yesterday, President Obama announced he's proposing new legislation to boost data privacy and custodianship on a national level. As there's a lot to tackle here, I'm breaking my thoughts into a handful of areas.
The need for a Federal mandate on breach notifications and data privacy
Currently, data privacy is a bit of a patchwork that varies a great deal from state to state. Today, 47 states have data breach notification laws, which vary quite broadly. This bill aims to create consistency across the board, providing a clearer level of protection and expectation for consumers and businesses. We saw a similar process with credit card information; prior to the formation of the Payment Card Information Data Security Strandard (PCI-DSS), there were five different credit card security standards that companies had to keep up with, which created a great deal of complexity and confusion.
So what exactly is the President proposing for a Federal data breach notification requirement? We only know the basic details, but the President said he wants to require companies to disclose their data breach to affected consumers within 30 days of the breach.
I believe the President is sending a strong message that security issues must not be swept under the rug, and that companies can be held accountable. I'm glad to see data custodianship taking center stage for the Federal government, and I believe that having a single breach standard will free up security and legal team resources when responding to a compromise.
That said, we need to keep a careful eye on the details of how the bill is formulated when it is released. For example, I am concerned that a 30 day breach notification may be aspirational. Realistically, most breaches are detected months after the fact, and the attackers are long gone. (The 2014 Verizon DBIR says 66% of breaches take from months to years to detect.) My assumption is that this is 30 days from detection of a compromise, but the devil really is in the detail here. Consumers absolutely have a right to know when trust and confidence has been compromised by a breach, but trying to force a too hasty disclosure timeline could lead to an even greater loss of consumer confidence. We must balance a swift breach announcement, confidence in knowing scope of a breach and having returned systems back to full control, and a measured approach to individual consumer notifications.
Another area we will need to watch for clarification is what is deemed a "breach." For example, if a security researcher finds and tests a vulnerability, does that count as a breach? If so, this is likely to further strain the relationship between researcher and company, which is frequently uneasy at best and downright hostile in many unfortunate cases. We're hoping to see this relationship improve as businesses come to better understand the necessity and value of security research, so we'd hate to see this bill push create a bigger rift.
I also think this legislation could go further, helping companies in two ways.
- I'd like to see companies encouraged to share information about what attackers have done- we need to see this information shared beyond just the Critical Infrastructure ISACs, and I think this can be done more efficiently at the corporate rather than a federal agency level.
- It could encourage more open dialogue about vulnerability notifications, public announcements, and product and service fixes.
On identifying and preventing identity theft
I think that most security practitioners look at Social Security Numbers (SSN) as usernames that have been treated as secret passwords. I'd like to see the Administration pushing the credit agencies to formally treat SSNs as identifiers, and require an authentication and authorization event of the tax payer who owns that SSN before any action is taken. This is (admittedly) a monumental ask; however, I wouldn't use email or any other system if it didn't require a password, so why shouldn't our SSNs? I do not believe our credit system should require consumers to pay a fee to effectively "add a password" to protect their credit lines and identities.
Privacy of information, data, and questions we need to ask
As consumers, we can be quite unaware of how much information we "donate” today to private entities, certainly more than we ever have in history. There are roughly 7 types of data we are giving away that paint a very telling picture about our private lives. I wish more of the public were interested in the "privacy of data” — and in understanding exactly what breadcrumbs are out there, and what is being done to their information... but getting to grips with it can be a daunting task.
Try this thought experiment: first, think of all the places where our data comes from. Initially we all think of our cell phone, who we call and text; our credit cards, where we shop and frequent; our computers, what we read and who we communicate with. Often though we aren't thinking about the Internet of Things—and how this adds your GPS location, samples from your camera or microphone, what you eat, how often you work out, ovulation cycles and reproductive activities, energy usage in your home, where and how aggressively you drive your car—adding in those factors, this list doesn't seem to end.
Second, you would need to answer the following questions for every online service you use (kind of like nutrition information on any food item you consume):
- Exactly what data of yours is a company storing?
- How long are they going to keep it?
- Can they share it? (With or without your express permission?)
- Can you find out who has seen it, can you grant and revoke access?
- Can you request that data be destroyed?
This really just scratches the surface of data privacy and custodianship, and it will be interesting to see how the pending legislation will propose to help us understand these questions--or in other words: what's being done to our data.
I applaud the Administration for underscoring the importance of data custodianship, bringing positive focus to the cybersecurity of companies, highlighting vulnerabilities, breaches, and accountability for protecting information they do not own.
As always, we encourage your thoughts and feedback, here or on Twitter.