— An OpEd by DataBreaches–
When it comes to data breach disclosures, the very same entities who claim to take our privacy and security very, very seriously are generally not being transparent in their breach disclosures. Their refusal to be transparent often results in consumers and patients being left in the dark about the risks we face from breaches. Those affected may first find out about incidents from threat actors or the media instead of from the entities who were responsible for securing the data. DataBreaches believes it’s time to consider promoting legislation that will require disclosure of facts about breaches that are currently being withheld and that will prohibit certain kinds of obfuscation or “weasel words” that mislead consumers and patients.
As one recent example of frustrating non-transparency, WDRB reported, “Norton, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to be tight-lipped about the May 9 data breach, which it refers to as a “cyber event.” That breach has been the subject of speculation for months as the company works to recover its information and patients struggle to obtain prescriptions and schedule appointments.”
Their so-called “cyber event” was a ransomware attack by AlphV (aka BlackCat). Has Norton learned nothing in 6 months about the scope of the breach that they could share with those affected?
The alleged lack of transparency by Norton is just one more example of a recurring problem this year. We’ve seen all too many entities engage in verbal gymnastics to avoid simply acknowledging they were the victim of a ransomware attack. And we’ve seen all too many entities tell people that their data “may have been exposed” when the entity already knows that not only were data accessible to the threat actor, but data was exfiltrated, and not only was data exfiltrated, some data was already being leaked and more would probably be leaked.
Any entity that knows data are being leaked on the dark web and/or clearnet but does not disclose that to those whose data was stolen should be fined monetarily for every day that goes by that they fail to disclose that, and the executives should be held responsible.
And then there are entities who rush to assure people that they have no evidence that data has been misused even though it’s early days, and even though they know that the data is in the hands of criminals who wouldn’t hesitate to misuse it. Brett Callow of Emsisoft has been recently highlighting these types of misleading statements. Discussing a notice by the Toronto Public Library, Callow told the Toronto Star:
Claiming that there’s ‘no evidence’ when the forensic work to find the evidence is still ongoing is irresponsible and exposes those affected to unnecessary risk. If they don’t know that their information may have been compromised, they don’t know they should be monitoring their bank accounts, changing their passwords, etc.
DataBreaches agrees with Callow. Rather than giving reassurances that may need to be revoked or revised in a matter of weeks, entities should be prohibited from giving quick assurances and instead state something to the effect of, “It is too soon to know about whether data has already been misused or is likely to be, but on the principle of rather safe than sorry, people should take the following steps if they want to protect themselves: … a, b, c…”
One way in which some entities try to distract us or dissuade us from pressing them for information is to mention (and often, more than once) that they are cooperating with law enforcement. So what if they are? Cooperation with law enforcement is not an excuse not to be transparent unless the FBI specifically asks the entity not to disclose something. In almost all cases this year where DataBreaches has seen entities state they are cooperating with the FBI or law enforcement, they are not claiming that they were asked to delay or withhold notification. Statements about cooperating with law enforcement are also often accompanied by statements that the entity cannot reveal more because of an ongoing investigation. That, too, is misleading. There is nothing that legally prevents most entities from informing you that they already know some data was stolen from their server or that they already know some data has been released on the internet by threat actors trying not pressure them. They are choosing not to be transparent with you.
Some entities frankly admit that they are being advised not to be transparent — to limit liability or for other reasons. DataBreaches believes that if an entity needs time to secure its network, that is a legitimate justification for not disclosing some information about the attack until it is secured. And if law enforcement does ask the entity not to disclose something because it will jeopardize a law enforcement activity, that, too, might be an acceptable reason not to disclose facts the entity is already in possession of. But if the sole or main purpose is just to protect the entity from scrutiny or criticism when consumers and patients are demanding information, DatabBreaches believes that the lack of transparency is unacceptable.
The ultimate victims of a breach — consumers and patients — should not first find out from criminals or reporters that their data has been stolen or leaked. They should find out first from the entity responsible for their data. And they should be given accurate information and not “weasel words” or misleading statements.
Enforce Existing Regulations and Statutes
DataBreaches urges state attorneys general to enforce state laws on data security and breach notifications.
The Federal Trade Commission also has authority under Section 5 of the FTC Act to take action against entities that engage in deceptive and unfair practices. DataBreaches believes that incomplete and misleading breach disclosures constitute an unfair practice as defined in the Act as act or practice where it (1) causes or is likely to cause substantial injury to consumers, (2) cannot be reasonably avoided by consumers, and (3) is not outweighed by countervailing benefits to consumers or to competition.
The U.S. Department of Health and Human Services also has the authority to enforce HIPAA and HITECH, although the regulations are not strong enough to really require the type of transparency DataBreaches is seeking.
Maybe if Congress can stop shooting itself in the foot and engaging in ridiculous clowny shows, we can find someone to promote meaningful bipartisan legislation.
But Until We Have More Enforcement or Statutes or Regulations Mandating More Transparency….
If data from a breach is being publicly leaked or a leak seems likely but the entity has not disclosed that, DataBreaches usually first attempts to contact the entity to ask them for a statement about the incident. If they fail to respond or their response appears misleading, DataBreaches will often report the incident publicly and include redacted screenshots as proof that personal data has been compromised.
Will consumers or patients be angry at the entity for not being more transparent and for having had to find out what is going on from this site, other media outlets, or from the threat actors themselves? Probably.
Will entities be sending DataBreaches Christmas cards if this site reveals a breach they haven’t disclosed yet or if they haven’t disclosed transparently? Probably not.
Will DataBreaches stop exposing breaches that entities have failed to disclose or have resisted disclosing transparently? No.
People need to know when their data is in the wild or about to be dumped so they can take steps to protect themselves. If entities won’t be transparent about that, DataBreaches will.
Image: Lastonein, CC BY-NC-ND 2.0 DEED