There may be a lot of justifiable criticism of Sony in terms of security, but as I’ve commented previously on this blog, I don’t think “delayed notification” when they discovered they were breached was one of their sins.
Robert McMillan reports:
Sony didn’t show up for last week’s Capitol Hill hearing on its massive data breach, thought to have affected more than 100 million video gamers. But that didn’t stop Representative Mary Bono Mack from laying into the company, along with Epsilon, a marketing company that experienced a similar breach just weeks before.
“I am deeply troubled by these latest data breaches and the decision by both Epsilon and Sony not to testify today. This is unacceptable,” said Mack, a California Republican, in her opening remarks. “The single most important question is simply this: Why weren’t Sony’s customers notified sooner about the cyber-attack?”
Read more on Computerworld.
The expectation of immediate disclosure and notification is not without precedent. Last year, California fined the Lucile Packard Children’s Hospital $250,000 for not complying with a state law that requires certain covered entities to notify both the state and affected individuals within 5 days after determining that they’ve suffered a breach. The hospital appealed the fine, but I have not seen any follow-up as to the results of their appeal.
So… what is reasonable in terms of time frame from discovery of a breach and public disclosure? Part of the bad rap Heartland Payment Systems got over their breach was that despite being notified in October or November of 2008 by card issuers that they had been breached, they did not disclose publicly until January 2009. The payment processor stated that although they had been told that they had a problem, they couldn’t find it or confirm it for months despite bringing in various experts to help them. Should they have disclosed in 2008 before they could even confirm they had a breach? If so, what could they have said that would have been of genuine help to those whose card numbers may have been compromised? Wouldn’t the public have been demanding information that they were not yet in a position to provide?
I’m a privacy advocate and not a security professional, but I’d like to see the professionals come up with their own recommendations as to what’s reasonable in these situations. If the public and legislators are making demands on entities that aren’t doable, let’s figure out what is.