Time To Close Breach Disclosure Loopholes

September 22, 2016 at 9:19 am 1 comment

According to the Recode  blog, Yahoo will shortly be publicly disclosing a massive data breach involving hundreds of millions of user names, passwords, personal information like birth dates and other email addresses. Yahoo has been investigating the breach since August when it discovered that a hacker named “Peace” was selling the information on the “dark” web for nearly $ 1,800. The story is intriguing because (1)I am shocked that yahoo still has that many users, and (2)The story shows yet again why state data breach disclosure laws need to be tightened and  Federal standards need to be enacted.

New York has a fairly typical disclosure notification statue. Section 899-aa of the General Business Law  mandates that companies disclose data breaches “ in the most expedient time possible, and without unreasonable delay” but “consistent with the legitimate needs of law enforcement” and “any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system ” When this legislation was passed, these broad disclosure guidelines made sense.  The thinking was that premature disclosures might disrupt investigations and even encourage additional breaches before security vulnerabilities could be remedied.  Incidentally, in 2011 the SEC issued guidance for publicly traded companies to disclose data breaches  But since such breaches must only be disclosed when they have a “material impact” on a company’s stock, publicly traded companies have a tremendous amount of flexibility in determining  what needs to be disclosed and when.

Times have certainly changed Businesses not only know of breaches long before they tell the public but the bad guys know that they know and they don’t care. For instance, a savvy hacker like “Peace” knows that among the people shopping for his treasure trove of information are businesses surfing the “dark” web to see if there information has been stolen. When reporter Brian Krebs disclosed the Target data breach he confirmed the story by talking to a fraud analysts at a major bank, whose team had independently purchased hacked information.

Sophisticated hackers like “Peace” probably aren’t stealing personal information so that they can break into a bank or a credit union the next day. They are simply putting the information on the black market and getting the best price they can from criminal  retailers who will be the ones stealing from  accounts. The result is that the true impact of massive data breaches  is  only felt over  time.  It also means that the sooner consumers have as much information as possible about data breaches the more they can do to protect themselves. Presently consumers are the  last to know that their personal information is compromised.   If the public can be enlisted to hunt down  terrorists  surly it  can be trusted  with timely information about  data breaches

What we need are hard deadlines for mandated disclosures with exceptions only when a company can demonstrate that a disclosure would result in direct immediate and substantial harm.

Entry filed under: General, New York State, Regulatory. Tags: .

Real Economic Development Starts At Home The Greatest Generation Loses One of Its Greatest

1 Comment Add your own

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 503 other followers