A new report by Joe Stuntz, vice president of cybersecurity at One World Identity, questions what constitutes a “distinct cyber incident” rather than a “privacy incident,” in relation to data breaches. One such breach has affected thousands of government employees.
Stuntz bases his report, published Monday by The Hill, on an announcement by the Department of Homeland Security about a security breach of 247,167 employee records. Stuntz notes many “interesting details” about the report stand out, among them the six-month lapse between the agency’s discovery of the 2014 breach and its reporting of the breach to affected employees.
“[T]he records were uncovered during a criminal investigation. DHS even revealed that the records were found in the possession of a former DHS Office of Inspector General employee.
“But the part that jumped out the most was how explicit DHS was about characterizing this as a ‘privacy incident.’ In its public statement, the department made no mention of the incident as an insider threat issue, despite the records being found in the possession of a former employee.
“Rather than question DHS’s designation of this as a ‘privacy incident,’ we should focus on what that designation means. Labeling this a privacy incident suggests that a distinct cyber incident would require an outsider gaining access through the network. It could also indicate that the categorization was made after DHS waited until their forensics demonstrated it was not exposed to malicious activity.
“If malicious access is a requirement, any reporting timeline that agencies or companies are required to follow will need to be much longer than previously thought. This extra time would give the forensics team room to do their jobs accurately and fairly, without rushing to conclusions in order to fulfill a reporting timeline.”
According to Stuntz, privacy incidents and cyber incidents can have different reporting requirements, although “data is ultimately compromised in both instances.” He says it is difficult to then decide which designation to give an incident, and that the disparity needs to be addressed.
“The lines between privacy incident, security incident, insider incident, and fraud are blurry at best. We hope regulation, policy, and — most importantly — stakeholder expectations evolve, ensuring all parties receive the same notification, reporting and remediation standards for any data lost, compromised, or impacted.
“Such reporting should be done with the acknowledgement that it often takes a long time to fully understand any incident. If Congress and agency leadership are demanding real-time updates, they need to understand the information they first receive will be not only incomplete, it will also frequently be inaccurate.
“Organizations should focus less on how a breach occurred (hacking, insider, fraud, etc.) and focus more on building up and preserving customer trust in their products and services.”