Shostack + Friends Blog Archive


Disclosure, Discretion and Statistics

One of the very interesting things about mandatory disclosure of breaches is that it adds a layer of legitimacy to the data. If all we have are self-selected reporters, we must investigate what bias that adds. This makes the FBI-CSI report and many others even less useful. New laws that require disclosure give us not only more data, but better data.

Unfortunately, some of the laws that are out there add a degree of human decisionmaking to the process. They assert that disclosure is only required if there’s a “reasonable belief” that the data might be misused. This is an odd loophole. As Philip Alexander writes in “Data Breach Notification Laws: A State-by-State Perspective:”

Kansas, Colorado and Delaware are among 18 states that have provisions exempting companies from disclosure if, upon investigation, it is believed that the stolen data will likely not be misused. I would caution companies from relying too heavily on such a provision. For one thing, there is a clear conflict of interest for a company to conduct its own investigation to determine if the data stolen as a result of a security breach is likely to be misused or not. In addition, how can anybody know the hacker’s intent? The risk, then, is the negative public perception if it gets out that your company had a data breach and unilaterally decided that the data wasn’t likely to be misused.

So not only is this provision poor shelter, but it corrupts the data, by restoring sampling bias. Lawmakers should understand that there’s policy goals here beyond the individual breach, and not re-introduce biases.

One comment on "Disclosure, Discretion and Statistics"

  • Chris says:

    In at least one state (can’t remember details, sorry) opinion as to the likelihood of exploitation can come from the police. I am not sure they are best-equipped to make this call, regardless of how disinterested they may be in whether disclosure occurs.
    It’s interesting.

Comments are closed.