SEATTLE -- It has become de facto practice for companies, upon discovering they've been hacked, to notify the U.S. Secret Service, and thus delay or avoid notifying customers whose data may have been stolen. CyberTruth asked Timothy Ryan, Managing Director, Kroll Cyber Investigations Practice, to supply context.
CT: What are the ramifications of this business practice, going forward?
Ryan: It is my experience that when law enforcement is involved it is not an absolute bar to disclosure. Rather, law enforcement evaluates the matter and then may ask the victim to withhold disclosure if it would compromise the investigation. Notifying law enforcement is not an absolute exception to state data breach laws.
CT: What about exposure of consumers?
Ryan: Delaying disclosure can benefit customers if there is a serious chance that the delay will result in the capture of the criminal. This is a balancing test which is not all that different from many other types of criminal investigations. When do you go public with the investigation to prevent future harm at the expense of having a strong likelihood of capturing and convicting the criminal.
CT: What are the tradeoffs companies like Target and Neiman Marcus weigh in deciding timing of disclosures of data loss -- or even whether to disclose at all?
Ryan: Companies should understand that data breach notification, handled poorly, is not only expensive but may create further reputational damage. Companies that understate the extent of the breach and overstate their security posture post-breach do so at their peril.
CT: From what we know, how would you describe the perpetrators?
Ryan: The initial breach may have been done by a small number of people, however, for the attackers to monetize the data they stole will require an assortment of groups. The Point of Sale data stolen by these attackers require a number of steps to convert to cash.
CT: What are the most salient lessons from this particular attack?
Ryan: This is a different attack than we normally see when responding to online and retail attacks. As for the defenses, it will once again show that compliance does not necessarily equate to security. Securing an enterprise is not a simple endeavor. However, companies will eventually move to understanding what is happening on their network in real time rather than just looking for what is known bad.