By Sandesh Anand
While a strong focus on preventing India’s cyber assets is required, it is a reasonable assumption to make that there will be more cyber attacks in 2017. These attacks will lead to sensitive information leakage, lack of availability of your favorite internet services and other disruptions common during a cyber attack. It is hence important to deliberate on a breach notification policy framework.
Currently, many regulators (such as RBI) and CERT-in lays down many rules to ensure companies report certain kinds of cyber incidents. However, there is no policy which requires entities to report breaches to you and I, the consumers. This means, if (say) a bank get’s hacked and that leads to leakage of consumer’s sensitive information (such as phone number, account balance), the bank is under no obligation to inform the consumers about the extent of the breach and explain what steps are being taken to prevent such incidents in the future. This means, consumers are in the dark about the status of their data and cannot take corrective steps. For instance, if a consumer knows that her credit card number is compromised, she can contact her bank, cancel the card and get a new one issued.
Here are some questions to ponder while we design such a policy:
What type of breaches should be notified?
Agencies like CERT-in require companies to report any “significant” breach, however, attacks which are “significant” may be irrelevant for a consumer. For example, does the consumer really need to be notified if an attack caused internal network outage internal to an organization? How about if only employee details were leaked? On the other hand, attacks which lead to leakage of consumer PII (personal identifiable information) certainly warrants a consumer notification. It is important to make it easy for organizations to distinguish between breaches which need to be notified and otherwise.
Who should be notified?
The policy should address the question of who needs to be notified. Should it be limited to “affected parties” (for example: users whose accounts were compromised) or should the entire public be notified? The answer to this question may differ based on industry, company size, ownership model (i.e. publicly held v/s privately held companies).
Should notifications be enforced? If yes, who should enforce it?
It is important for the policy to define if it merely “recommends” notification or enforces it. If the latter, the policy needs to define who the enforcer should be. Options include central government, state governments (such as in the USA) or industry regulators.
What should be the nature of the notification?
It will be useful to define the nature of the notification as well. While some flexibility can be provided to the breached organization, broad guidelines should be provided. The absence of such a guideline might lead to a organization notifying a breach through a small column on page 16 of a local daily.
When should the notification take place??
While it makes sense to provide breached organizations with some time to investigate the breach, it is important to have a deadline by which the organization has to notify the consumer. For example, the US state of Florida mandates that such a breach be notified within 30 days of determination of the breach.
A robust breach notification policy is a requirement as we move rapidly towards a digital economy. While some companies may resist such a policy as it makes things harder for them, it certainly serves the interest of their customers and brings in much needed transparency to the myriad world of cyber attacks.
Sandesh Anand is a GCPP9 alumni and an Information Security professional. He tweets as @JubbaOnJeans