TRENDING:

Justice Calls for Breach Reporting Law

Quick Notification Vital to Capture Assailants Eric Chabrow (GovInfoSecurity) • June 18, 2009    
Justice Calls for Breach Reporting Law
A senior Justice Department official asked Congress to enact legislation to require companies to report breaches of their computer systems to law enforcement officials.

"Immediate reporting of incidents to law enforcement is vital to law enforcement's ability to investigate large-scale data breaches," Deputy Assistant Attorney General Jason Weinstein said in testimony Wednesday to the House Committee on Oversight and Government Reform's Subcommittee on Information Policy, Census and Nation Archives.

Weinstein, in his prepared testimony, said that immediate reporting relies on each potential victim company's ability to promptly detect an incident, but experience shows that prompt detection will not itself result in a report from the victim company.

He said data breaches are significantly underreported, and as a result, law enforcement efforts to bring criminals to justice are significantly hampered. "If law enforcement never learns of the incident, we will not be able to investigate it; if we hear about it too late, we may be unable to preserve critical evidence or identify the perpetrators," he said.

Weinstein said authorities successfully tracked down perpetrators of high-profile data breaches as the direct result of immediate information from victim companies on how the hackers entered and exited their systems, including the specific IP addresses used in the attack. One example he cited: the restaurant chain Dave & Buster, in which hackers last year installed so-called packet-sniffer software on point-of-sale serves to log details on thousands of payment cards.

But Weinstein suggested the Dave & Buster case an exception of companies reporting breaches, so Congress should enact legislation to compel such action. He said any legislation should contain provisions to ensure that breaches are reported to law enforcement prior to notifying individual victims, and to permit law enforcement to seek delayed notification, so that law enforcement has sufficient time to preserve evidence and investigative leads.

Previous
City CISO Creates Own IT Security Guidance
Next
Picking the Cybersecurity Czar

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.



Around the Network

Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.