Monday , December 2 2024

Majority of US IT Pros Told to Keep Quiet About Data Breaches

While an increasingly number of regulations have made the reporting of data breaches mandatory, a majority of IT professionals in the United States say they have been told to keep quiet about an incident, potentially running afoul of legal requirements.

In a survey released last week, 42% of the more than 400 IT and security professionals surveyed — and 71% of those in the United States — maintain that they have been instructed to keep a data breach confidential when they knew the incident should be reported. Three in 10 of those surveyed have acquiesced and not reported the breach, according to the “2023 Cybersecurity Assessment Report,” published by cybersecurity firm Bitdefender.

Workshop on “DDoS use cases & solutions for government & BFSI” held at BCS

A workshop on "DDoS use cases & solutions for government & BFSI" held at Bangladesh computer society premises on Saturday...
Read More
Workshop on “DDoS use cases & solutions for government & BFSI” held at BCS

Uganda confirms hack of central bank accounts, Refutes $17 Million Claim

Uganda’s finance ministry confirmed media reports that hackers breached the central bank’s systems and stole money, but refuted the claims...
Read More
Uganda confirms hack of central bank accounts, Refutes $17 Million Claim

CVE-2024-11667
Hackers actively exploiting Zyxel firewall to deploy Ransomware

CERT Germany and Zyxel have alerted about a serious vulnerability in Zyxel firewalls, identified as CVE-2024-11667. This flaw is being...
Read More
CVE-2024-11667  Hackers actively exploiting Zyxel firewall to deploy Ransomware

Daily Security Update Dated: 29.11.2024

Every day a lot of cyberattack happen around the world including ransomware, Malware attack, data breaches, website defacement and so...
Read More
Daily Security Update  Dated: 29.11.2024

CIRT-in flags Critical Flaw in Oracle Agile PLM Framework

CERT-In has flagged a security vulnerability in Oracle’s Agile Product Lifecycle Management (PLM) software, identified as CVE-2024-21287 and cataloged as...
Read More
CIRT-in flags Critical Flaw in Oracle Agile PLM Framework

Microsoft patches four vulnerabilities in its services

On November 26th, Microsoft patched four vulnerabilities detected in Dynamics 365 Sales, the Partner.Microsoft.Com portal, Microsoft Copilot Studio and Azure...
Read More
Microsoft patches four vulnerabilities in its services

Data broker exposes 600K+ passwordless sensitive files online

SL Data Services/Propertyrec, an information research provider exposes a non-password-protected database containing more than 600K records according to the security...
Read More
Data broker exposes 600K+ passwordless sensitive files online

Cloudflare logs faces major failure, losing 55% of user data

Cloudflare suffered an incident roughly 3.5 hours On November 14, 2024 impacting the majority of customers using Cloudflare Logs. Cloudflare...
Read More
Cloudflare logs faces major failure, losing 55% of user data

VMware Patched critical flaw in Aria Operations

VMware revealed several critical vulnerabilities in its Aria Operations product, with the most severe allowing attackers to gain root user...
Read More
VMware Patched critical flaw in Aria Operations

HDFC Life hit by data breach, begins investigation

On Monday, Indian HDFC life insurance said, They got some instances of data leaks. "We have received communication from an...
Read More
HDFC Life hit by data breach, begins investigation

The pressure to keep silent on a potential breach of data not only puts companies at risk of fines and penalties but could place workers at risk as well. In reality, the decision to disclose a breach or not should rest with the executive teams, says Martin Zugec, technical solutions director at Bitdefender.

“If I’m an IT administrator, and maybe security is not even my full-time job, it’s really hard for me to say if we do have the requirement to disclose or not,” he says. “So the responsibility for security should start with executives, with the leadership of the company, and they should be involved in the decision to disclose.”

The impetus to not report a breach is certainly not new. In 2018, for example, a similar survey found that 84% of cybersecurity professionals expected timely notification of a breach, but only 37% of the same group put an emphasis on the expeditious notification of a breach to their customers. In perhaps the most notorious example, a jury found Joe Sullivan, the former CSO of Uber, guilty of obstruction of justice and a related charge last year for his cover-up of a data breach in 2016.

Regulatory Chaos Leads to Problems in United States

While an increasing number of regulations require that companies disclose, those regulations are unfortunately not consistent. That’s especially true in the United States, where a large company will find itself having to comply with 50 jurisdictions, federal regulations, and industry-specific regulations, says Bryan Cunningham, former deputy legal adviser to Condoleezza Rice when she was national security adviser, and now an adviser with Theon Technology. To boot, many companies have customers in Europe, which places them under requirements of the GDPR.

“There are sometimes instances of data handling where it’s literally impossible to comply with the European Union laws and US laws at the same time,” he says. “So the internal people at these companies are torn in a bunch of different directions.”

The European Union’s integrated approach to data security creates a consistent blanket of requirements compared with the United States and its hodgepodge of state, federal, and industry regulations regarding privacy and data protection — which perhaps leads to better disclosure stats.

Three-quarters of respondents in the US (75%) experienced a data breach in the last 12 months, while 51% of respondents in the United Kingdom, 49% in Germany, and even fewer in Italy, Spain, and France experienced a data breach. Yet, compared with the 71% of respondents in the United States who were instructed to keep a breach quiet, just 44% of respondents in the United Kingdom said the same, 37% in Italy, and less than 35% in Germany, Spain, and France, according to the “2023 Cybersecurity Assessment Report.”

“We need to make it much clearer who’s supposed to do what and when, which is why I believe that initiatives like the GDPR are making us, as a whole society, much safer,” Zugec says. “The model of individual responsibility that we have it set up today [in the US], we are running into its limits.”

Penalties Depend on Jurisdiction, Details

The penalty for failing to report a data breach varies widely by the jurisdiction and the specifics of the case, says Kevin Tunison, data protection officer for Egress, an email security provider. In the case of Uber’s security chief, Sullivan, the company paid hackers $100,000 through a bug bounty program to keep quiet about the breach, and the CEO approved of the action.

“There must be disagreement in a healthy culture to debate whether an incident is reportable — if everyone agreed, there would be no need for data protection legislation,” Tunison says. “Lastly and most importantly, human error is no longer an excuse a business can fall back on. It is the responsibility of every organization to take reasonable and cost-effective steps to avoid the avoidable.”

In the US, the criminal code, Title 18, has a variety of potential charges that could be leveled against a person who hindered a data breach investigation, including by not reporting the original incident as required. In the EU, of the 27 countries signed onto the GDPR, 10 have prison terms as a potential penalty for criminal liability.

“Depending on the jurisdiction(s) the company operates in, the risks can be as significant as life in prison,” Tunison says.

The good news is that companies appear to be changing directions, especially in the wake of the Sullivan case. While small and midsize enterprises may not have received the memo because they typically are not the target of enforcement actions and lawsuits, the largest firms around the world are starting to work with governments and asking for more homogenous regulations, says Theon Technologies’ Cunningham.

“I think there is a pretty significant cultural shift among certainly publicly traded companies and regularly regulated companies, that the days of being able to bury this stuff are over,” he says. “Even the wisdom of doing that has been completely reevaluated.”

Check Also

flowchart

Cloudflare logs faces major failure, losing 55% of user data

Cloudflare suffered an incident roughly 3.5 hours On November 14, 2024 impacting the majority of …

Leave a Reply

Your email address will not be published. Required fields are marked *