The Law of Unintended Consequences hits yet again.

  [1]The Effects of GDPR's 72-Hour Notification Rule:

    The EU's GDPR regulation requires companies to report a breach
    within 72 hours. Alex Stamos, former Facebook CISO now at Stanford
    University, [2]points out how this can be a problem:

    Interesting impact of the GDPR 72-hour deadline: companies
    announcing breaches before investigations are complete.

    1) Announce & cop to max possible impacted users.
    2) Everybody is confused on actual impact, lots of rumors.
    3) A month later truth is included in official filing.

    Last week's [3]Facebook hack is his example.

    The Twitter conversation continues as various people try to figure
    out if the European law allows a delay in order to work with law
    enforcement to catch the hackers, or if a company can report the
    breach privately with some assurance that it won't accidentally leak
    to the public.

    The other interesting impact is the foreclosing of any possible
    coordination with law enforcement. I once ran response for a breach
    of a financial institution, which wasn't disclosed for months as the
    company was working with the USSS to lure the attackers into a trap.
    It worked.

    […]

    The assumption that anything you share with an EU DPA stays
    confidential in the current media environment has been disproven by
    my personal experience.

    This is a perennial problem: we can get information quickly, or we
    can get accurate information. It's hard to get both at the same
    time.

    Tags: [4]Facebook, [5]GDPR, [6]disclosure

  (Via [7]Schneier on Security)

  It's hard to do incident response well. With the disclosure rules as
  they are, once the information gets out (and it will) the resources
  needed to clean things up and properly determine what happened become
  busy trying to provide customer service as well. Tools like the various
  IR orchestration platforms (my employer makes one) can certainly help;
  unfortunately it does come down to a human resource problem.

  I get the law enforcement angle referenced above and why it might be in
  the greater public interest to pursue such a path. Attribution, which
  is very hard to do well, is fundamental to any kind of trap for the bad
  guys. Attribution takes time.

  It will be interesting to see how this shakes out with this and the
  next handful of cases.
  Also on:

  [8]Twitter
    __________________________________________________________________

  My original entry is here: [9]The Effects of GDPR's 72-Hour
  Notification Rule. It posted Thu, 04 Oct 2018 06:42:58 +0000.
  Filed under: business,

References

  1. https://www.schneier.com/blog/archives/2018/10/the_effects_of_5.html
  2. https://twitter.com/alexstamos/status/1046783533220421632
  3. https://motherboard.vice.com/en_us/article/bja7qq/how-50-million-facebook-users-were-hacked
  4. https://www.schneier.com/cgi-bin/mt/mt-search.cgi?search=Facebook&__mode=tag&IncludeBlogs=2&limit=10&page=1
  5. https://www.schneier.com/cgi-bin/mt/mt-search.cgi?search=GDPR&__mode=tag&IncludeBlogs=2&limit=10&page=1
  6. https://www.schneier.com/cgi-bin/mt/mt-search.cgi?search=disclosure&__mode=tag&IncludeBlogs=2&limit=10&page=1
  7. http://www.schneier.com/blog/atom.xml
  8. https://twitter.com/prjorgensen/status/1047739636280426496
  9. https://www.prjorgensen.com/?p=2085

You are viewing proxied material from sdf.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.