In the last episode of the Cyber Second Podcast, we talked about the confusing patchwork of rules and laws - state, federal, global - dictating data breach disclosure rules. The common thread in nearly all of the existing regulations is that the disclosure clock starts the very moment that a company becomes aware of the breach. But when does someone truly know something, and who needs to know to establish that the company knew they were impacted? Does the clock start when the first log anomaly is detected by a member of the security staff, when the CEO is formally briefed, or when the forensic investigation proves a breach really occurred?
Certainly, businesses have a desire to truly understand what - if anything - has occurred before they communicate it to customers. But what about the desire of the customers? How long will it take an attacker to monetize the data and automate phishing attacks, or do something with the information that is bad for the consumer? The business may be impacted, but it seems the truly injured party in a breach is not the company, but the person whose data was stolen.
In this podcast, Adrian Lane, analyst and CTO at Securosis, asks us to change our perspective as he answers some of our most pressing questions - and addresses our key concerns - around data breach disclosure.