Home / Blogs

More Provocative Reasons for a Mandatory National Breach Disclosure

Fergie

I read, with some small amount of discomfort, an article by Bill Brenner on CSO Online, wherein he interviewed several other CSOs and other "Security Execs" on their opinions on the firing of Pennsylvania CISO Robert Maley. For those who haven't heard about this, Mr. Maley was fired for talking about a security incident during the recent RSA conference without approval from his bosses.

The first thing that struck me was the "tow the line" posture by everyone interviewed — but then again, I agree that in such a position as Mr. Maley was in as CISO, it certainly violates certain aspects of confidentiality, etc., which his job may have required regarding such an incident.

The second thing that struck me, of course, was that if a mandatory U.S. National Breach Disclosure law existed, Mr. Maley would not have found himself in such a position to begin with.

Another issue which falls within this controversy are large corporations which try to keep secret the fact that they were involved in serious IT security breaches, and keep their customers in the dark.

We are seeing more and more cases of unauthorized information disclosure day after day, month after month, year over year in all areas — finance, health information and medical records, and other sorts of personal identity theft.

We are long overdue on a national breach disclosure law which makes it mandatory for companies and other organizations to publicly disclose these incidents have occurred. Long overdue.

I would appreciate hearing thoughts from readers on this issue — please leave your comments.

By Fergie, Director of Threat Intelligence
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

The right call for the wrong reasons..... Michael Hammer  –  Apr 12, 2010 6:28 AM PST

Fergie makes the right call for the wrong reasons. While I was generally aware of the firing of Robert Maley, I didn't go looking for the details until after reading Fergies post.

Mr. Maley was apparently let go for speaking on the topic after being specifically told (after a previous incident) that he was required to get prior approval. The fact that he was technically on vacation further muddies the waters. It appears that under the circumstances Mr. Maley would have had an issue even if there were a breach notification law in place.

I'm speaking as someone who is required to get prior approval when speaking about anything related to my employer. There are two media contacts for our organization and anyone else (including executives) has to go through the appropriate process.

Presenting at a conference is not the same as breach notification.

Fergie is correct though that there is a need for stronger breach notification laws - what happened with Mr. Maley is the wrong reason to justify strengthening notification and disclosure laws .

To post comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign