recommended reading

Immediate Notification Could Hurt Hack Victims

Brian A Jackson/ users could receive false assurances or false alarms if organizations handling their personal information are hit by hackers and required to notify victims within two days, federal advisers and recent government audits suggest.

Meaningful details typically take weeks for forensics specialists to piece together, based on past cases.

Earlier on Friday, the House approved a measure that would compel the Health and Human Services Department to inform consumers within two business days of discovering a breach of personal data.

Current electronic medical records legislation gives most healthcare-related organizations maintaining personal information up to 60 days to alert victims. A measure promoted by the White House and the Senate Judiciary Committee for years would apply the 60-day rule to all businesses, for cases like the recent Target breach. On Wednesday, Committee Chairman Sen. Patrick Leahy, D-Vt., reintroduced the bill

As for a two-day deadline to notify hack victims, "I do think it's unrealistic," said Deven McGraw, who HHS Secretary Kathleen Sebelius appointed in 2009 to serve on an advisory committee that recommended standards for the exchange of patient medical information. 

"Important details such as exactly whose information was involved, what kind of information, etc., typically get uncovered through detailed investigations, which don't begin until after initial hints of a breach are discovered," she said.

An individual immediately warned might turn out to unaffected -- or vice versa, said McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. "To make notification meaningful for consumers, you have to give industry some reasonable period of time to investigate," and in some cases, mitigate the damage.

Certain health care related organizations are exempted from the 60-day rule, if disclosing specifics could harm ongoing investigations. 

The new House legislation is expected to stall in the Senate, as have most efforts to rein in Obamacare. 

Federal agencies today are required to inform the U.S. Computer Emergency Readiness Team, part of the Homeland Security Department, about cyber events within an hour. But, according to an audit released this week, complete information from most incidents takes days or months to compile. "US-CERT officials stated they can generally do little with the information typically available within 1 hour and that receiving the information at a later time would be just as useful," the Government Accountability Office reported.

For example, after learning in April 2012 that a hacker attacked a contractor’s computer, it took the Federal Retirement Thrift Investment Board more than two months to verify which individuals were affected and then notify the 123,000 federal employee retirement plan participants. An hour after confirming the hack affected personal information, agency officials were still in the process of determining how much information and the extent of the risk, according to the GAO. 

Get the Nextgov iPhone app to keep up with government technology news.

(Image via Brian A Jackson/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.