recommended reading

Immediate Notification Could Hurt Hack Victims

Brian A Jackson/ users could receive false assurances or false alarms if organizations handling their personal information are hit by hackers and required to notify victims within two days, federal advisers and recent government audits suggest.

Meaningful details typically take weeks for forensics specialists to piece together, based on past cases.

Earlier on Friday, the House approved a measure that would compel the Health and Human Services Department to inform consumers within two business days of discovering a breach of personal data.

Current electronic medical records legislation gives most healthcare-related organizations maintaining personal information up to 60 days to alert victims. A measure promoted by the White House and the Senate Judiciary Committee for years would apply the 60-day rule to all businesses, for cases like the recent Target breach. On Wednesday, Committee Chairman Sen. Patrick Leahy, D-Vt., reintroduced the bill

As for a two-day deadline to notify hack victims, "I do think it's unrealistic," said Deven McGraw, who HHS Secretary Kathleen Sebelius appointed in 2009 to serve on an advisory committee that recommended standards for the exchange of patient medical information. 

"Important details such as exactly whose information was involved, what kind of information, etc., typically get uncovered through detailed investigations, which don't begin until after initial hints of a breach are discovered," she said.

An individual immediately warned might turn out to unaffected -- or vice versa, said McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. "To make notification meaningful for consumers, you have to give industry some reasonable period of time to investigate," and in some cases, mitigate the damage.

Certain health care related organizations are exempted from the 60-day rule, if disclosing specifics could harm ongoing investigations. 

The new House legislation is expected to stall in the Senate, as have most efforts to rein in Obamacare. 

Federal agencies today are required to inform the U.S. Computer Emergency Readiness Team, part of the Homeland Security Department, about cyber events within an hour. But, according to an audit released this week, complete information from most incidents takes days or months to compile. "US-CERT officials stated they can generally do little with the information typically available within 1 hour and that receiving the information at a later time would be just as useful," the Government Accountability Office reported.

For example, after learning in April 2012 that a hacker attacked a contractor’s computer, it took the Federal Retirement Thrift Investment Board more than two months to verify which individuals were affected and then notify the 123,000 federal employee retirement plan participants. An hour after confirming the hack affected personal information, agency officials were still in the process of determining how much information and the extent of the risk, according to the GAO. 

Get the Nextgov iPhone app to keep up with government technology news.

(Image via Brian A Jackson/

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.