BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Data breach reporting mandate may be a needless distraction

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 10 Jan 2014 17:29:18 -0700
http://www.fiercegovernmentit.com/story/data-breach-reporting-mandate-may-be-needless-distraction/2014-01-09

Federal agencies must report data breaches involving personally
identifiable information to the Homeland Security Department within an hour
of discovery, which is not a particularly useful endeavor, the Government
Accountability Office says.

After just an hour, agencies often have little to report to US-CERT, the
cyber incident response unit at DHS, but must do so under Office of
Management and Budget guidance.

"OMB staff said that they were unaware of the rationale for the 1-hour time
frame, other than a general concern that agencies report PII incidents
promptly," says the recently released report, dated Dec. 9.

It can take weeks or months to gather complete information on data breaches.

Agencies reported 22,156 incidents involving personal information in fiscal
2012, up from 15,584 incidents the year before, and more than double the
number from 2009.

"Agencies may be making efforts to meet the reporting requirements that
could be diverting attention and limited resources from other breach
response activities," the report says.

The requirement also forces agencies to file reports that are of little use
to US-CERT, like when a breach involves paper documents. Such incidents may
only affect a few individuals, and they're outside the expertise of
US-CERT--short for Computer Emergency Readiness Team.

Agencies also have to report lost or stolen hardware containing personal
information, even if encryption makes it unlikely for data to be
compromised.

"US-CERT officials said they have little use for case-by-case reports" in
those kinds of incidents, the report says.

Also, US-CERT does not use the information it collects to help resolve
incidents or to provide technical assistance--casting further doubt on the
need for agencies to file a report immediately. US-CERT compiles the
information for statistical purposes.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: