This month, the Department of Homeland Security notified affected employees about a 2014 breach of 247,167 employee records. There are many interesting details in the department’s disclosure, including the fact that there was six-month privacy investigation between the discovery of the breach and the notification, and the fact that the records were uncovered during a criminal investigation. DHS even revealed that the records were found in the possession of a former DHS Office of Inspector General employee.
But the part that jumped out the most was how explicit DHS was about characterizing this as a “privacy incident.” In its public statement, the department made no mention of the incident as an insider threat issue, despite the records being found in the possession of a former employee.
Rather than question DHS’s designation of this as a “privacy incident,” we should focus on what that designation means. Labeling this a privacy incident suggests that a distinct cyber incident would require an outsider gaining access through the network. It could also indicate that the categorization was made after DHS waited until their forensics demonstrated it was not exposed to malicious activity.
If malicious access is a requirement, any reporting timeline that agencies or companies are required to follow will need to be much longer than previously thought. This extra time would give the forensics team room to do their jobs accurately and fairly, without rushing to conclusions in order to fulfill a reporting timeline.
Further, privacy incidents can have different reporting requirements than cyber incidents — a disparity that likely needs to be addressed, since user data is ultimately compromised in both instances. This differentiation is made harder in examples such as data being available on an open Amazon S3 storage bucket without malicious accent. Should this be categorized as a privacy incident or a cyber incident?
The lines between privacy incident, security incident, insider incident, and fraud are blurry at best. We hope regulation, policy, and — most importantly — stakeholder expectations evolve, ensuring all parties receive the same notification, reporting and remediation standards for any data lost, compromised, or impacted. These basic standards should apply regardless of how the incident may be categorized. Viewing technology, incidents or practices in terms of existing buckets such as fraud, privacy or security are no longer sufficient. Instead, the focus should be on trust and safety.
Regardless of how this event and any others are categorized, it doesn’t really matter — the organization has already lost some of the trust of its employees, customers, and other stakeholders. In DHS’s case, the incident was reported without mentioning privacy in the headline, instead using the term “data breach.” In this situation, the verbiage is appropriate, as it does not matter to many people what is it designated — just that their personal data was compromised.
For DHS and other federal agencies, these designations — and the different requirements tied to them — can directly impact the actions of people responding to the incident. For government to successfully implement incident response programs, whether responding to a PII breach or a nation state actor hack, the legislative branch and the executive branch must provide an atmosphere that encourages CIOs/CISOs to look under those rocks and report the events.
Such reporting should be done with the acknowledgement that it often takes a long time to fully understand any incident. If Congress and agency leadership are demanding real-time updates, they need to understand the information they first receive will be not only incomplete, it will also frequently be inaccurate.
Great progress has been made with regard to focusing more on outcomes versus compliance, but there is still much work to do. Organizations should focus less on how a breach occurred (hacking, insider, fraud, etc.) and focus more on building up and preserving customer trust in their products and services.
By: Joe Stuntz
Joe Stuntz is the vice president of cybersecurity at One World Identity.