Information security experts today praised the attention U.S. President Barack Obama is lavishing on cybersecurity, but have some concerns about how proposed legislation will be implemented and enforced while others say the proposals don't go far enough.
In a speech at the U.S. Federal Trade Commission (FTC) today -- marking the first time a U.S. president has come to the FTC since Franklin Delano Roosevelt's visit in 1937 -- Obama proposed legislation that would require companies to notify consumers that their personal information has been compromised within 30 days of the discovery of a data breach. The legislation would also enhance law enforcement's capability to pursue those who trade in stolen identities, even overseas.
"If we're going to be connected, then we need to be protected," Obama said. "As Americans, we shouldn't have to forfeit our basic privacy when we go online to do business."
Obama said he will also reintroduce the Consumer Privacy Bill of Rights and introduce another piece of legislation that would ban educational software providers from using the data they collect from students for marketing purposes.
"Data collected on students in the classroom should only be used for educational purposes -- to teach our children, not to market to our children," Obama said.
Obama intends to detail the proposals in his State of the Union speech next week.
Information security experts were quick to embrace the president's focus on these issues.
"I think it's really positive that the issues around cybersecurity are getting this level of attention and scrutiny," says Ken Levine, president and CEO of data loss prevention specialist Digital Guardian. "Certainly the industry getting together and sharing vital information is an important step in the right direction. Recognizing that protecting consumer information is a step in the right direction."
The Risks of Over-Reporting
"It's really good news that our federal government is preempting state law, specifically with the requirement to notify data breach victims in a set time period," adds Larry Ponemon, founder and chairman of the Ponemon Institute, a research center dedicated to privacy, data protection and information security policy. "Companies have had a hard time managing the various state laws because there are 46 or 47 of them. It's actually a good thing to have one set of rules for notification."
However, Ponemon is somewhat concerned about the idea of mandating a strict 30-day notification window. For the past nine years, the Ponemon Institute has conducted annual studies on the cost of data breaches. It has found that rapid notification can increase the cost of data breaches by an average of $7 per record.
"On the negative side, there is definitely a cost to reporting early," Ponemon says. "Consumers that receive a notification that their data has been lost or stolen get very angry if they later get a notification that they were notified in error."
Ponemon has found that the loss of customer loyalty does the most damage to a company's bottom line in the wake of a data breach. Companies typically need to spend heavily to regain their brand image and acquire new customers. Pharmaceutical companies, financial services firms and healthcare organizations often see the worst churn in these cases.
Companies should be required to notify victims when their data has been compromised, Ponemon says, but responding too quickly drastically increases the chances that customers that weren't affected will be notified that they were.
"People want to know what they need to worry about," he says. "But over-reporting is a problem. A lot of organizations have made a decision to over-report the size of a data breach. That's a bad strategy. It makes consumers worry unnecessarily and leads to a higher number of people that will churn or end their relationship with the company because they no longer believe the company is responsible with their data.
In addition, Ponemon notes that once a data breach has been detected, it can take months or even as much as a year to determine whether data has been lost or stolen as cybercriminals often work hard to cover their tracks.
"Thirty days may be an appropriate time to notify in many cases, but there needs to be a carve out for the law -- in the event that early notification will hinder the investigation, maybe they get a little more time before they have to notify. Once you notify, you tip your hand to the bad guys."
Digital Guardian's Levine is a bit more sanguine about the 30-day window.
"Sometimes it's difficult to do a full investigation in that period of time," he says. "But I think there needs to be better acceleration of notification. I think it demonstrates that better data security is important."
Ponemon also praises the Consumer Privacy Bill of Rights, noting, "Anything that elevates privacy as a social priority is a good thing."
On Tuesday, the president will appear at the National Cybersecurity and Communications Integration Center, where is expected to discuss measures to increase cybersecurity information sharing between private sector firms and the government.
Close But Not Enough
"We are delighted that the administration will not only be enhancing the incentives for information sharing, but reviewing the entire information sharing architecture which is stuck in a 20th century industrial model," says Larry Clinton, president and CEO of the Internet Security Alliance (ISA) trade association, which the administration briefed on its proposals on Friday.
Clinton says a key problem with today's information sharing structure is an inability to reach small and mid-sized organizations with actionable information. He notes that ISA has suggested an alternative cross-sector model that leverages economies of scope and scale to make it easier and cheaper for small firms to fend off cyberattacks.
Clinton says he is also heartened by proposals to make it easier for law enforcement to pursue cybercriminals, adding that government has spent too much time and effort blaming the victims.
"We also welcome the administration's, and we hope Congress's, new focus on cybercrime, he says. "While protecting critical infrastructure from catastrophic cyberattack is obviously important, 95 percent of all cyberattacks are economic in nature -- mostly theft -- yet we successfully prosecute less than two percent of cybercriminals. Policy makers have spent too much time and rhetoric blaming the victims of cyberattacks and not nearly enough empowering and resourcing our law enforcement agents to go after the criminals themselves."
In the end, Clinton says the president's proposals are a good first step, but don't go far enough.
"The steps being announced this week are good, but not nearly enough," he says. "Our cyber platform is inherently weak and getting weaker with the explosion of mobile devices and the Internet of Things. The attackers are getting better as techniques confined to nation states a few years ago are now being used by common criminals. Finally all the economics of cybersecurity favor the bad guys," Clinton says.
"Attacks are easy and cheap to access and profit margins are tremendous,"
Clinton says. "On the other hand, defense is hard, a generation behind the attackers and law enforcement is currently inadequate. Better information sharing would be good, but no one should think that is anywhere near enough to address our growing cybersecurity problems."