The Effects of GDPR’s 72-Hour Notification Rule:
The EU’s GDPR regulation requires companies to report a breach within 72 hours. Alex Stamos, former Facebook CISO now at Stanford University, points out how this can be a problem:
Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete.
1) Announce & cop to max possible impacted users.
2) Everybody is confused on actual impact, lots of rumors.
3) A month later truth is included in official filing.
Last week’s Facebook hack is his example.
The Twitter conversation continues as various people try to figure out if the European law allows a delay in order to work with law enforcement to catch the hackers, or if a company can report the breach privately with some assurance that it won’t accidentally leak to the public.
The other interesting impact is the foreclosing of any possible coordination with law enforcement. I once ran response for a breach of a financial institution, which wasn’t disclosed for months as the company was working with the USSS to lure the attackers into a trap. It worked.
The assumption that anything you share with an EU DPA stays confidential in the current media environment has been disproven by my personal experience.
(Via Schneier on Security)
It’s hard to do incident response well. With the disclosure rules as they are, once the information gets out (and it will) the resources needed to clean things up and properly determine what happened become busy trying to provide customer service as well. Tools like the various IR orchestration platforms (my employer makes one) can certainly help; unfortunately it does come down to a human resource problem.
I get the law enforcement angle referenced above and why it might be in the greater public interest to pursue such a path. Attribution, which is very hard to do well, is fundamental to any kind of trap for the bad guys. Attribution takes time.
It will be interesting to see how this shakes out with this and the next handful of cases.