With a rotating list of cyber threats testing the security of organizations' infrastructures every day, the obligation to implement proactive security solutions has become old hat.
Compliance, on the other hand, is the new one. This presents a major challenge: as well as proactively securing the infrastructure, organizations are now saddled with requirements emerging from regulations, legislation and contractual agreements that leave them wondering just how to comply.
The most notable of these uncertainties surrounds the requirement to notify clients, consumers or business partners when sensitive data has been compromised. This legal responsibility promotes a complex new test for information security staff, legal staff and business managers. Just when should one notify – or not notify – clients?
California's Senate Bill 1386 is one example of legislation that institutes notification requirements to protect residents' personal data. California Civil Code, Section 1798.29(a), along with SB 1386, says that organizations "shall disclose any breach... following discovery or notification... to any resident... whose unencrypted personal information was, or is reasonably believed to have been, acquired."
Reading this carefully, you can see that a breach of a computer system does not invoke the requirement to notify, but rather "any breach of the security of the data." Therefore, if a system has been compromised, then compulsory notification of the consumers is not required until it is confirmed, or "reasonably believed," that the data covered by the statute has been compromised during the security breach.
This means that a critical component to your organization's incident response is to find out exactly what has been compromised.
After a security breach, both management and legal counsel will want to know if any sensitive, covered data has been breached. This means that legal counsel, business line owners, and executive management must brace for some harsh realities.
First, most organizations do not have the infrastructure, tools, resources or methodologies in place to accurately determine what data has been compromised during a breach.
You will not get a definite answer to your question. The majority of investigations into computer security breaches yield inconclusive results concerning whether files and data, and if so which ones, had been accessed without authorization, so be prepared to deal with probabilities.
Be aware that the activities of the initial responders in your organization often jeopardize the accuracy of an investigation's conclusions.
You are likely to underestimate the time and cost of a thorough investigation, and even then you may be under-whelmed with the results.
What you can expect from an investigation into a security breach are non-definite statements such as: "The likelihood that the creditcard data was compromised is extremely low." Investigators or those responding will then need to offer the factors that contributed to their conclusion.
How does your organization weigh the results of your diligent investigation against the threshold of "reasonably believing" that sensitive, covered data has been compromised? How do you compare the likelihood of compromise to "reasonably believed to have been acquired by an unauthorized person?" This is what we call the "notification dilemma."
Will you decide to notify clients that sensitive data just might have been taken? And how might unwarranted notification impact the entire e-commerce or online banking community?
It seems the question "to notify or not to notify" is more difficult to answer than legislators, business owners, and security practitioners had hoped. In order to address the issue, organizations must consider adopting an effective incident response capability.
Whether incident response is performed in-house or by a trusted partner, it must be part of all organizations' risk management structure.
Kevin Mandia is president of Red Cliff Consulting and a former Air Force Special Agent