Last summer, Catherine “Kitty Green” received disturbing news about the computer network of the Gulf Coast University in Florida, where she controls a private donor fund. The external data provider warned that it had discovered that hackers had secretly entered the university’s systems, possibly accessing the sensitive personal information of their benefactors.
Six months later, the FGCU sent out notices to 5,498 financial backers offering free credit monitoring and a hotline for more information. It took so long that, after consulting with technical and legal experts, the university decided that under local law, it would have to issue different notices in 16 different states.
“Every country has different issues, which makes it much more difficult to know what to do,” Green said. “It was definitely more time consuming than we could have imagined.”
More and more businesses, governments, and organizations have been exposed to cyber-attacks, and the lack of a clear, effective reporting standard for threats and breaches has become a new urgency.
Another massive attack by businessmen took place over the weekend, this time with Microsoft’s widely used email software affecting at least 60,000 known victims worldwide, says a former senior US official who knows about it.
The announcement applies to the so-called SolarWinds hack, as suspected Russian hackers targeted the well-known software of SolarWinds in Texas. According to the White House, about 18,000 of its clients have received infected updates, or have been much less targeted for secondary attacks. About 100 private sector companies ը American agencies.
Against the background of all these attacks, informing the public has become a major headache. This is because, as data breaches have increased, the patch for notification requirements has also increased.
There are special rules for personal health registration at the federal level. The Securities and Exchange Commission recommends that public companies inform investors of “material” violations.
Each of the 50 states has its own violation notification requirements, such as the District of Columbia, Puerto Rico և Guam.
In Indiana, for example, at least 30 organizations have filed data breach notices this year to warn one resident in the state, according to the Attorney General’s Office. (Records show that FGCU filed a notice in Indiana, where 34 of its donors live). A number of other states also require notification, no matter how many residents are affected.
Organizations that avoid cyber-attacks need to go through a reporting maze that “makes life more difficult for victims,” said Raord Kelly, a FBI veteran of the National Security Council, who oversees FTI Consulting’s cybersecurity practice in the United States. “It puts them in a situation where they face different rules. “I think the federal government should take action to detect data breaches.”
Previously, it was proposed to create a common standard in case the private sector should warn against illegal cyber-sectarianism, but it did not meet resistance from some Republicans, business groups, who described it as costly, overburdened, low private-private partnership. In 2015, the Obama administration proposed “simplifying and standardizing the existing patchwork,” which at the time had 46 separate state laws, endorsing “one clear, timely notice requirement.”
The 2015 Cyber Security Information Exchange Act, passed that year, did not go far enough. Instead, it provided legal protection to organizations that voluntarily shared information about cyber threats.
“I do not think our traditional reporting mechanisms are working,” said Sen. Mark Warner, chairman of the Senate Intelligence Committee, during a hearing last month to discuss the development of new notification standards.
Redmond-based Microsoft President Brad Smith և FireEye գլխավոր Cyber Security CEO Kevin Mandia, who discovered the breach of SolarWinds, each advocated mandatory standards for sharing suspicious network activity before it could lead to public notices.
As the situation now stands, organizations that suffer from data breaches are often required to disclose them only after being exposed to consumer data at risk. This can happen months after the first threat is detected, արժեք the cost of giving warnings has decreased. The complexity of state-federal notification requirements only increases delays.
It would have been easier before the invasion of all states to create a unified disclosure regime, but the problem is now so urgent that policymakers can finally act, says Luke Demboski, a former assistant national attorney general who now heads Debevoise. & Plympton Data Security Practice.
“In the United States, we have a Frankenstein notification regime that increases costs and inefficiencies,” he said.