Look at US breach notification rules
David Howorth says the EU window for breach notification is too narrow
The EU should take stock of the US and its breach notification laws and learn from them. Bringing breach notification laws into Europe is a welcome move, but as 24 or 72 hours is such a short period, consumers may be frightened off.
And a breach doesn't just happen; there is a reconnaissance period where hackers try to infiltrate the network and check for weak links in the infrastructure for a back door.
This can happen months before the attack is launched. Then there is an attack phase and a post-compromise phase.
Most companies that use threat detection and continuous monitoring tools such as network intrusion detection, web application firewalls, log management or SIEM have, via rich security content and security rules, events collected from failed logins, changes to admin permissions, et cetera, that can help them stay on top of vulnerabilities before they are exploited.
That is either as standalone for their IT teams to support or as a managed service.
However, many companies don't have the skills or a team able to analyse and understand a breach as well as fix it within 24 hours.
Some technologies will also take a breach out of scope – such as encryption – and so while consumers have the right to know their data has been compromised, they need the facts about what happened, how it happened, what has been done to rectify it or stop it happening in future, and general consumer guidance on next steps such as changing logins, passwords, credit cards, and so on.
Doing all this is not possible in 24 hours. Target, Sony, and many other companies that have been breached just wouldn't have had enough time to do a thorough investigation including forensics, a remediation plan, and provide guidance to their consumers within 24 hours.
In the case of the US, 30 days' notification is the maximum amount of time that a company has to do their analysis, remediation and notification. Companies obviously should strive to release this information quickly, with a solid update to provide their customers within this time frame.
David Howorth is EMEA vice president at Alert Logic