Mandatory Disclosure: A Hazard for Infosec?

Friday, July 30, 2010

Niels Groeneveld


In the United States and other countries new legislation has been introduced, or will be introduced, regarding the mandatory disclosure of security breaches in which privacy sensitive information is involved.

Companies have to report such breaches to the government, and in case of large breaches, press reports are issued to inform the public.

Although this is in general a good development - we all want to reduce data breaches - one could wonder what the effects are for infosec professionals. Politicians hope that companies will increase their efforts to reduce breaches, to prevent financial damages and loss of reputation.

One could wonder whether all companies will choose this path.

Management teams prefer to reduce risk and cost. The legislation forces companies to disclose breaches, but does not force companies to find them. Given these circumstances, a possible option to reduce risk is to decrease the chance that security breaches will be found.

Will companies try to prevent incidents by increasing the workload for their security teams on other issues, such as compliance and management reporting, or by reducing the headcount of the team as pre-emptive damage control ?

Will management teams reward or punish a security analyst when deciding on yearly bonuses when that analyst traced down a data leak which subsequently causes bad publicity and large financial damage to the company due to mandatory disclosure ?

What should professionals do when an employer refuses to accept an incident happened, or when they get instructions to ignore the mandatory disclose regulations ? Should you go public anyway - which will cost you your job, or should you follow orders ? If you do, are you liable, or is the management team liable ?

Although I fully support the intent of mandatory disclosure legislation, I think it can put people in complex positions. After all, companies hire infosec professionals to protest confidential information, and to prevent bad publicity and financial loss due to security breaches.

Governments expect these same people to breach confidentiality, by disclosing confidential information on security incidents, causing damage to the interests of their own employer ?

Will the government assist an infosec professional who will get into conflict with his employer because he followed the rule of law on these matters in any way ? Will the government prosecute them when they don't breach confidentiality when the company decides not to report the incident ?


Possibly Related Articles:
Full Disclosure Security Management
Post Rating I Like this!
Mister Reiner Seriously?

Organizations need to have their personnel sign non-disclosure agreements regarding compromises. Security personnel are not accountable to report compromises to the government and the public - management is accountable.

Security personnel need to prepare the information, to include reporting requirements, and forward the information to management. The ball is then in management's court - and their attorney's, to make a decision to report the incident.

Security personnel need to make a personal decision to remain employed by an organizations that fails to properly report an incident. It is not their place to report an incident outside of proper channels - which in my opinion, is career suicide.
Derrick Buxton Moot point, someone will find those holes and exploit them, and they will make it public, bringing inquiries on why there was no active program to find the holes. And we are back where we started.

As for the personnel question, I relate it to ethics. I care less about my career than I do my humanity. I can't work for a company if i'm not happy there, if they are not taking care of their customers, I am not happy.
Niels Groeneveld @ Derrick:

That's clear, and I'm not at all against disclosure. Just wondering whether management teams will react as intended by increasing security levels, or whether some will actually try to decrease the 'risk' posed by tracing down these incidents instead of trying to prevent the incidents.

Also I wonder whether or not analysts uncovering incidents which will cost the company a lot of money / damage the reputation of the company due to disclosure will be treated fairly.

Don't forget the impact of these incidents can be severe, both for the company, as well as for managers who will be held responsible, and whose job or bonus might be on the line.

"As for the personnel question, I relate it to ethics. I care less about my career than I do my humanity. I can't work for a company if i'm not happy there, if they are not taking care of their customers, I am not happy."

True, if a company doesn't handle these kinds of incidents ethically, I wouldn't want to work there either ;)

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.