Home / Blogs

More Provocative Reasons for a Mandatory National Breach Disclosure

I read, with some small amount of discomfort, an article by Bill Brenner on CSO Online, wherein he interviewed several other CSOs and other “Security Execs” on their opinions on the firing of Pennsylvania CISO Robert Maley. For those who haven’t heard about this, Mr. Maley was fired for talking about a security incident during the recent RSA conference without approval from his bosses.

The first thing that struck me was the “tow the line” posture by everyone interviewed—but then again, I agree that in such a position as Mr. Maley was in as CISO, it certainly violates certain aspects of confidentiality, etc., which his job may have required regarding such an incident.

The second thing that struck me, of course, was that if a mandatory U.S. National Breach Disclosure law existed, Mr. Maley would not have found himself in such a position to begin with.

Another issue which falls within this controversy are large corporations which try to keep secret the fact that they were involved in serious IT security breaches, and keep their customers in the dark.

We are seeing more and more cases of unauthorized information disclosure day after day, month after month, year over year in all areas—finance, health information and medical records, and other sorts of personal identity theft.

We are long overdue on a national breach disclosure law which makes it mandatory for companies and other organizations to publicly disclose these incidents have occurred. Long overdue.

I would appreciate hearing thoughts from readers on this issue—please leave your comments.

By Fergie, Director of Threat Intelligence

Filed Under

Comments

The right call for the wrong reasons..... Michael Hammer  –  Apr 12, 2010 2:28 PM

Fergie makes the right call for the wrong reasons. While I was generally aware of the firing of Robert Maley, I didn’t go looking for the details until after reading Fergies post.

Mr. Maley was apparently let go for speaking on the topic after being specifically told (after a previous incident) that he was required to get prior approval. The fact that he was technically on vacation further muddies the waters. It appears that under the circumstances Mr. Maley would have had an issue even if there were a breach notification law in place.

I’m speaking as someone who is required to get prior approval when speaking about anything related to my employer. There are two media contacts for our organization and anyone else (including executives) has to go through the appropriate process.

Presenting at a conference is not the same as breach notification.

Fergie is correct though that there is a need for stronger breach notification laws - what happened with Mr. Maley is the wrong reason to justify strengthening notification and disclosure laws .

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com