Breach Reporting & The Need for More Transparency

Fact: due to inconsistent breach regulation and reporting standards, when a breach occurs, consumers and businesses can't assume that they will always be notified.

In an article published in SC Magazine, Stephen Boyer exposes the "Fuzzy Math" around breach regulation and reporting. He raises the call for a national standard that would define exactly what incidents need to be reported and require consistency in the type of details revealed. The article explains that currently, each state is left to determine what is reported and when, which means in many cases, smaller incidents remain undisclosed and there is no true count of how many breaches have occurred or the number of records impacted.

target-breach-newsFurthering this call, a blog post by Oren Falkowitz points out that even in major breaches, details can be hard to come by. He reveals that as of January 28, 2014, Target still had not disclosed the details regarding their breach to the SEC. His post goes on to question whether we would know so much about this breach if it hadn't been reported in the national media, which often is the case with smaller incidents.

Both of these articles point out that until national standards are adopted, we are left in the dark when it comes to understanding the magnitude of cyber threats and how we can defend ourselves against them. As Stephen states in SC Magazine, consistent reporting will allow us to build more accurate risk models, which will in turn "enable risk managers, policy makers, cyber insurers and consumers to make more educated decisions on how to manage cyber risk. As cyber risk is priced into purchasing and partnership decisions, organizations will be incentivized to improve their security and become better at notifying the relevant parties of an incident or breach. Transparency and accountability will breed improved security, which will benefit all."

What are your thoughts on this issue?