Posted by Kevin on December 23, 2015.
The recent hack of the UK telecoms company TalkTalk highlights a vexing problem for CISOs: how quickly – and indeed to what extent – should you disclose a breach.
In October 2015 TalkTalk revealed that it had been breached. The CEO (Dido Harding, aka Baroness Harding of Winscombe) rapidly went public with full disclosure warning that up to 4 million accounts may have been compromised. In her haste she made a number of PR blunders. First she said she didn’t know if the data had been encrypted – as CEO it was her responsibility to know. Then she claimed that the company had done all that was legally required to protect the data; which did not sit well with either affected customers or security commentators. And the icing on the cake was when she claimed that TalkTalk had not breached the Data Protection Act because it was the victim of a crime (a statement Trend Micro’s Rik Ferguson described as ‘premature and presumptuous’).
A few days later she announced that only partial account details were stolen, so no customer could lose any money from the hack. Again this was wrong – customers were already losing money from their bank accounts. But finally some good news: it wasn’t 4 million account details but ‘only’ just over 150,000, and ‘only’ 15,600 bank account details.
This raises the question: was Dido Harding right to go so public, so quickly? So far there seems to be little effect on the company. Breach-related costs are expected to be between £30m and £35m; but pre-tax profits are still expected to be around £300m. What we don’t know, however, is whether there will be any long term effect: has the brand name TalkTalk become toxic for new and renewed customers?
We asked nine CISOs from the Wisegate community: how soon after a breach should you disclose? We gave them six options:
What becomes very clear is that in general, Chief Information Security Officers are not in favor of early disclosure. While nobody responded, ‘never’, and nobody responded ‘immediately’, almost two-thirds will disclose only when, if and to the extent required by law. Note that is ‘required by law’, not ‘advised by law enforcement’.
Twenty-two percent suggested that disclosure should come only after preparing a reaction plan and statement for the public; with just one vote for some other ‘tipping point’. “After you have spoken with internal and external counsel,” commented one of the CISOs. It was also noted that an incident response plan needs to be in place before a breach and not devised during a breach.
Dido Harding and TalkTalk seem to have failed on both of these last points. Had she spoken to legal counsel it is unlikely she could have claimed immunity from the law because TalkTalk was a victim. If she had an incident response plan in place prior to the breach she would not have made such a faux pas out of disclosure.
It would be easy to assume from this survey that CISOs do not believe in disclosure – but I think that would be a mis-interpretation. Note that no-one suggested that you should never disclose. I believe the key element is that CISOs think they should be in possession of the full facts before going public – but since this would likely take several months they will be forced by law to disclose earlier.
“I would not report every type of breach,” explained one of the CISOs, “but only those required by regulation or a state statute. Then only report once you know the facts about the breach and how your data is protected. Your report should include what you are doing to ensure that further attacks will be avoided.”
You can get further advice on how to handle incidents from the report on a Wisegate roundtable led by a lawyer: Responding to Incidents and Preventing Crises. Mitzi Hill concluded, “Consider both the law and the golden rule: how would you feel if this were your data and no one told you it got released?”Submitted in: Perspectives |