BreachExchange mailing list archives
Data breach reporting mandate may be a needless distraction
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 10 Jan 2014 17:29:18 -0700
http://www.fiercegovernmentit.com/story/data-breach-reporting-mandate-may-be-needless-distraction/2014-01-09 Federal agencies must report data breaches involving personally identifiable information to the Homeland Security Department within an hour of discovery, which is not a particularly useful endeavor, the Government Accountability Office says. After just an hour, agencies often have little to report to US-CERT, the cyber incident response unit at DHS, but must do so under Office of Management and Budget guidance. "OMB staff said that they were unaware of the rationale for the 1-hour time frame, other than a general concern that agencies report PII incidents promptly," says the recently released report, dated Dec. 9. It can take weeks or months to gather complete information on data breaches. Agencies reported 22,156 incidents involving personal information in fiscal 2012, up from 15,584 incidents the year before, and more than double the number from 2009. "Agencies may be making efforts to meet the reporting requirements that could be diverting attention and limited resources from other breach response activities," the report says. The requirement also forces agencies to file reports that are of little use to US-CERT, like when a breach involves paper documents. Such incidents may only affect a few individuals, and they're outside the expertise of US-CERT--short for Computer Emergency Readiness Team. Agencies also have to report lost or stolen hardware containing personal information, even if encryption makes it unlikely for data to be compromised. "US-CERT officials said they have little use for case-by-case reports" in those kinds of incidents, the report says. Also, US-CERT does not use the information it collects to help resolve incidents or to provide technical assistance--casting further doubt on the need for agencies to file a report immediately. US-CERT compiles the information for statistical purposes.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- Data breach reporting mandate may be a needless distraction Audrey McNeil (Jan 14)