A Blog by Jonathan Low

 

Aug 14, 2014

Shssh! The Contrarian View on Data Breaches

The presumption these days is that a data breach must be reported. The sooner and more comprehensibly the better. 47 US states and the Securities and Exchange Commission (SEC) demand various levels of disclosure by law.

It is not clear that this has made the public, the institutions to which it entrusts its data or the data itself any safer, but it has certainly raised awareness about the problem.

While it can not accurately be said that we live in an age of transparency, it is the case that transparency is the default posture expected. Given the plethora of information available and the relative respect for reputation, it is certainly more advantageous to be as honest as is prudently possible, rather than being caught in an endless downward spiral of obfuscation and dissimulation.

But what if too much disclosure is actually more harmful than too little? As the following article suggests, questions are being raised about the relative merits of exercising discretion rather than sharing all.

It seems apparent that society has generally benefited from an emphasis on honest, open discourse. However, given the degree of personal data now online and the vulnerability that creates, it may be useful to consider the implications of cautious discretion versus reflexive disclosure. JL

Danny Yadron reports in the Wall Street Journal:

Disclosing hacks wasn't always routine. Talking openly about cyberthreats is controversial because some executives fear it can make the company a target for hackers and such statements could be used against them.
Urban Outfitters Inc.  hired Dawn-Marie Hutchinson last year to keep hackers out of its computers. If crooks were to get in, Ms. Hutchinson doesn't think the teen retailer should immediately tell the world.
"There is this crazy hysteria," about cyberattacks, says Ms. Hutchinson, Urban's head of information security. "Placing blame, it doesn't help anybody."
Ms. Hutchinson is among a group of executives taking a stand in a debate about the merits of disclosing cyberattacks. They are questioning the prevailing view that companies should always notify customers, vendors and authorities after a breach.
To the contrary, these executives argue that many breaches don't lead to harm and can be handled quietly. Not every corporate document is a valuable trade secret; credit-card numbers may be exposed but never stolen, or stolen but never used. Disclosure can cause its own problems, prompting consumers to waste time replacing credit cards, for example.
Most seriously, they say, going public could expose weaknesses that others could exploit. "You wouldn't necessarily disclose a nation-state actor trying to do harm in an industry that's very vulnerable," Leslie Thornton, general counsel of WGL Holdings Inc., a Washington, D.C., gas utility, told a forum sponsored by the Securities and Exchange Commission last month. Russian and Iranian hackers have targeted U.S. energy companies during the past year, U.S. officials and private researchers have said.
It's unclear how many executives agree with Ms. Hutchinson and Ms. Thornton. At a closed-door meeting of the National Association of Corporate Directors in June, some participants questioned the value of disclosing hacks, weighed against the negative publicity.
Talking openly about cyberthreats is controversial because some executives fear it can make the company a target for hackers and such statements could be used against them in litigation.
"It's poor form to say it publicly," said Jeffrey Carr, who talks often with corporate leaders as founder of the "Suits and Spooks" cybersecurity conference. "There's an international movement toward more transparency not less."
Others say companies have a duty to disclose hacks to business partners, customers and investors who may have been affected. Many computer-security experts say disclosure helps others respond to an attack, and deter future hacks.
"Understanding the scope of the threat and the damage it's doing and even how an attack succeeds would be really useful for the country," said James Lewis, a senior fellow at the Center for Strategic and International Studies who often advises Washington officials on cybersecurity. "If you're a CEO or a general counsel, you might make America safer to share the information but you also might be out on the street."
The debate among executives mirrors divisions among government officials.
The SEC in 2011 required companies to disclose "material information regarding cybersecurity risks and cyber incidents." In a speech last month,U.S. Treasury Secretary Jacob Lew told financial firms to share more with each other and law enforcement on hacking incidents, although not necessarily in public. "There cannot be a code of either silence or secrecy about the steps necessary to protect our basic security," he said.
Yet other law-enforcement and national-security officials say some incidents should be kept quiet. Some U.S. investigators say privately that blabbing about a cyberattack could tip off foreign intruders the U.S. is on to them.
Disclosing hacks wasn't always routine. Before 2005, only California required companies to notify consumers whose data had been stolen. Then hackers stole a trove of records from ChoicePoint, a consumer-data firm since acquired by Reed Elsevier PLC.
ChoicePoint initially notified only consumers in California, even though thousands of consumers in other states may have also been affected. The incident helped spark a wave of legislation in other states.
Today, 47 states require companies to notify consumers of data thefts, including Kentucky, which enacted such a law this year.
Executives describe a complex calculus in deciding whether to disclose hacking incidents. After a payment-card breach, banks often reimburse consumers for fraudulent charges, whether the hacked company goes public or not.
Some companies may decide not to tell shareholders because they believe intruders only stole less-valuable information, such as working papers for an already-published report or clinical practices for an academic hospital, said James Kaplan, a principal at McKinsey & Co., citing two examples he's heard from executives.
Target said tens of millions of credit and debit card accounts may have been affected by its data breach. It recently lowered its quarterly outlook, in part on nearly $148 million in costs dealing with the fallout. 
"If you never disclose the breach at all, then you don't have class-action suits," says Doug Meal, a partner at Ropes & Gray LLP, said in an interview this spring. Mr. Meal advised Target Corp. after hackers stole 40 million credit- and debit-card numbers late last year.
The Target breach was disclosed by a blogger, but the state disclosure laws likely would have forced Target's hand. Molly Snyder, a Target spokeswoman, said, "We want to be explicitly clear that Mr. Meal's statements do not reflect the beliefs of Target."
At a recent private meeting for security executives in Philadelphia, Ms. Hutchinson, the Urban Outfitters executive, explained how companies could keep certain hacking incidents private. Even if intruders accessed a database of millions of customer records, a firm may not be obligated to go public if only a small fraction were stolen, she said, according to another executive in the room. Ms. Hutchinson confirmed the account.
After the Target theft, Ms. Hutchinson grimaced as the retailer's holiday sales plummeted and lawsuits piled up. Each week brought a new revelation. "There just seemed to be like this vomiting of information," she said in a recent interview.
Ms. Hutchinson said she's not arguing Target should have kept the breach a secret. Rather, she said that every company needs a plan to deal with breaches.
Urban, perhaps best known for vintage-style sweaters and ironic picture books, has prepared a detailed map to react to a cyberattack.
To its knowledge, Urban hasn't been breached yet, according to Ms. Hutchinson and the company's securities filings.
In hacker simulations, the company has mapped out one response for a data breach it discovers on its own and another if it's alerted by law enforcement or a journalist. But "we actually don't use the term breach," because that could trigger disclosure laws, Ms. Hutchinson said.
After a hack involving consumer data, her first call isn't to her boss, who is Urban's technology chief. Instead, it's the company's general counsel, a shift the company made post-Target to cloak the conversations under attorney-client privilege. Then, according to the plan, an outside investigator, whom she declined to name, is due at Urban headquarters within 24 hours, Ms. Hutchinson said.
She said she might recommend telling consumers about a hacking incident, but only after extensive analysis. Announcing "anything earlier than three months, in my opinion, would be too quick," Ms. Hutchinson said.

0 comments:

Post a Comment