Hacked? Customers are often last to know

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/28/hacked-customers-are-often-last-to-know/


Rumors of a data breach at a major New York bank started circulating more
than a week ago in cyber-security circles. So for insiders, news that
JPMorgan Chase had been victimized was more confirmation than revelation,
just the latest headline from a digital crime wave that shows no sign of
ebbing.

But for the millions of customers of JPMorgan Chase, the news reports that
began appearing Wednesday were the first indication that their personal
information might have been stolen by hackers. Like Target, Neiman Marcus
and countless other companies, the nation's largest bank chose to keep
evidence of a cyber-crime private until journalists forced the issue.

This reticence is both deeply rooted within corporate America and, to some
consumer advocates, deeply infuriating. Had a family's precious jewelry
been stolen from a safe deposit box, any bank would have quickly notified
the affected customer. Yet loss of personal information, especially when it
happens on a mass scale, is treated differently, both by the law and by
industry custom.

The result is that days, weeks or longer can pass between when a company
learns of a cyber-crime and when its customers do. That gap, say security
experts, can amount to crucial lost time for people who might want to
protect themselves by monitoring transactions, changing passwords or
alerting other relevant parties - such as a credit card company - that the
risk of fraud or identity theft is elevated.

"There have been so many breaches where companies have held information for
so long that more disclosure would force companies to do a better job being
accountable to consumers," said Ed Mierzwinski, Consumer Program Director
at U.S. PIRG. "It's a real pain in the neck to clear your name... You have
to spend time -- a lot of time -- clearing your name. And you don't get
paid for that."

A wave of state laws passed over the past dozen years have required
companies to notify customers in a timely manner about data breaches that
affect them. There also are notification requirements specific to banks
under federal law. Publicly traded companies must report "material
breaches" from cyber-crime in disclosures to investors. And the Federal
Trade Commission investigates some corporate data breaches, especially when
there is evidence that security measures were not up to industry standards.

The result is a mish-mash of rules and regulations that, in practice, force
companies to disclose data breaches but rarely require them to do so
quickly. New York's data breach law, for example, requires disclosure "in
the most expedient time possible and without unreasonable delay," but
allows for delay to accommodate "the legitimate needs of law enforcement"
during an ongoing investigation.

The interests of consumers and authorities sometimes diverge, said Neil
MacBride, former U.S. Attorney for the Eastern District of Virginia and now
a partner at Davis, Polk & Wardwell. "Consumers want immediate notification
from the breached company while law enforcement may want several days or
weeks to investigate a crime scene before hackers are tipped off that the
cops are on their tail."

The seriousness of the JPMorgan Chase breach, which involves at least one
other bank as well, remains uncertain, though some reports said account
data may have been compromised for some customers.

Bloomberg News first reported the intrusion Wednesday afternoon, saying
that the FBI was investigating the possibility that Russian hackers had
launched an attack in retaliation for U.S. sanctions prompted by Russia's
actions in Ukraine. Other investigators have expressed skepticism about
that possibility but not ruled it out.

JPMorgan Chase posted a notice on its Web site saying, "The security of
your Chase accounts is one of our highest priorities," with general tips on
how to protect personal banking security. But it didn't directly address
the numerous news reports of a data breach, nor did it offer details about
what happened and who might be affected. The most recent news release on
the corporate site, dated Monday, talks about a partnership between the
bank and a water industry non-profit group based in Milwaukee.

A spokesperson for JPMorgan Chase said it will notify consumers if it
determines they have been impacted but declined to say when or how.
JPMorgan Chase also declined to comment on when it first learned of the
data breach.

Notification is a notoriously cumbersome and costly process for companies
that have data breaches. Forty-seven states and the District of Columbia
have laws governing such disclosures, and a company with a nationwide
customer base may have to comply with them all.

The work involved in notification - and the public relations price for
companies that have failed to keep their customers' data safe - was a top
goal of those who pushed for state notification laws. They wanted to raise
the cost of data breaches in order to provide companies with incentive to
implement better security practices.

"It wasn't about providing a lot of notice to consumers. It was about
seeking some visibility about lax security procedures," said Deirdre
Mulligan, a professor at the University of California, Berkeley School of
Information who help craft California's data breach law, which when it
passed in 2002 was the nation's first.

But 12 years later, as the incidents continue to pile up, some experts say
the time has come to revisit the subject - with the goal of prioritizing
the interests of the consumers who are affected.

"We've got this kind of patchwork, but given the frequency and visibility
of these breaches, we ought to have a much more rigorous conversation in
this country about data security policy," said Woodrow N. Hartzog, a
Samford University law professor who specializes in privacy and security.

Until then, companies typically are free to take the initiative of
notifying their customers quickly. RSA Security Division of EMC Corp.,
which makes security tokens for computer networks, publicly disclosed it
had suffered a breach in March 2011. Its chairman, Art Coviello, posted an
urgent message on its Web site acknowledging the intrusion by what Coviello
described as an " advanced persistent threat." Intelligence officials later
said they traced it to China.

"This was an extremely unusual event where the corporation very quickly
identified the breach and disclosed it," said Michael Brown, then a senior
cybersecurity official at the Department of Homeland Security and now a
vice president and general manager at RSA. "And we on the government side
were very impressed."

The company's action, he said, enabled the alerting of its customers in the
private sector and in government about ways to detect if they were
vulnerable and to protect themselves. "There's nothing worse," he said,
"than having an environment where potentially something's going to come out
and not having relayed coherent information to the customers."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!