Breaches of an organizations critical infrastructure, specifically its cyber-infrastructure, have become a daily recurring problem for businesses and governments worldwide. Allegations of the Chinese military hacking into IT networks of American businesses and organized criminal enterprises setting up lucrative black market schemes permeate the mainstream media market.
When a breach of mission-critical data occurs, should the victimized entity (i.e. business, government, etc.) be required to disclose that an incident has occurred? Reality is that most organizations, even if required to by law, do not disclose that a breach of their cyber-infrastructure has occurred, not to law enforcement and especially not to the general public at-large. The reasons for non-disclosure are numerous (i.e. loss of investor confidence; fear of class action litigation; loss of goodwill; lack of internal/external controls; etc.).
The New York Times recently held a forum on whether businesses should be required to disclose data breach incidents? The following are excerpts from that discussion (I have provided a brief response as well):
- Lauren Gelman, Attorney – Ms. Gelman believes that it is important to share intrusion details and forensic data from breaches of mission-critical data. She substantiates her position by making a public policy argument that the public has a right to know if a company has been hacked so they can determine what is the right amount of investment in cyber-security research and response. Hackers exploit commonly known vulnerabilities in technology, and therefore targeted victims should take a “comfort in the herd” approach and share what they know with others. She is in favor of regulation, because it is a “collective action problem.” It is very tough to provide a one-size-fits-all solution to cyber-security. Organizations are uniquely individual in every aspect of their functionality, and it is not necessarily comforting to be a part of a herd when there are a pack of wolves surveying your collective weaknesses (i.e. like shooting fish in a barrel).
- Alexander Tabb, Consultant – Mr. Tabb posits that disclosure “telegraphs” the weaknesses or lack of controls within an organization, and therefore leaves a company open for more attacks. Mr. Tabb is quick to point out that executives of publicly traded firms (and I would add private ones too) still have an obligation to respond to incidents against their critical infrastructure (they just do not have to publicly disclose the incident). Good try at creating an antagonistic viewpoint, but the “ethical” argument is tough when it comes to an executive’s number one objective – exceeding shareholder expectiations.
- Jacob Olcott, Policymaker – Mr. Olcott states that a business is built so much on good will and intellectual property these days that stakeholders (or potential stakeholders) have a right to know if the organization can adequately keep their secrets secure. Good point, but it is hard to find a correlation between data loss and stock price (i.e. TJ Max had a huge data breach, and their stock price has bounced back; I am unaware that Heartland Payment Systems went out of business; or Sony’s PlayStation is no longer being sold). In other words, the perception is that companies can rehabilitate themselves if a data breach occurs.
- Lee Tien, Attorney – Not surprisingly, Mr. Tien suggests that data breach notification laws should become more enhanced so as to provide affected persons sufficient time to identify the signs that their privacy may be, or become, compromised. Public disclosure gives the general public at-large a greater perspective on the cyber-security problem, and allows for a collective response. More laws – that’s how we attorney’s keep going. I would argue that MORE LAWYERS need to be adequately trained to help their client’s find proactive solutions to cyber-security, not reactive solutions through litigation.
- Baruch Fischhoff, Professor – Mr. Fischhoff offers a clinical opinion in which he states that questions of risk and decision-making are complicated, and rather than numb the public into hysterics, simply tell them what they need to know (i.e. how big is the risk?; Is the individual personally vulnerable?). The “ignorance is bliss” argument. This seems a bit paternalistic, and masks the problem.
- Joseph Lorenzo Hall, Technologist – The last member of the forum, Mr. Hall, posited that the underlying dilemmas of cyber-security are complex, because there is an interaction of social, technological and institutional problems. Disclosure does not get to the “underbelly” of data security, and instead we should focus on creating a common social understanding of how to keep people and systems safe when interacting with networks and computers. Agreed. However, this is the 800 lbs elephant in the room, and the only way to eat the elephant is one bite at a time (but, determining what part to eat first is critically important).
Where does your organization fall in this discussion? Where should it fall in this discussion?