recommended reading

Immediate Notification Could Hurt Hack Victims

Brian A Jackson/ users could receive false assurances or false alarms if organizations handling their personal information are hit by hackers and required to notify victims within two days, federal advisers and recent government audits suggest.

Meaningful details typically take weeks for forensics specialists to piece together, based on past cases.

Earlier on Friday, the House approved a measure that would compel the Health and Human Services Department to inform consumers within two business days of discovering a breach of personal data.

Current electronic medical records legislation gives most healthcare-related organizations maintaining personal information up to 60 days to alert victims. A measure promoted by the White House and the Senate Judiciary Committee for years would apply the 60-day rule to all businesses, for cases like the recent Target breach. On Wednesday, Committee Chairman Sen. Patrick Leahy, D-Vt., reintroduced the bill

As for a two-day deadline to notify hack victims, "I do think it's unrealistic," said Deven McGraw, who HHS Secretary Kathleen Sebelius appointed in 2009 to serve on an advisory committee that recommended standards for the exchange of patient medical information. 

"Important details such as exactly whose information was involved, what kind of information, etc., typically get uncovered through detailed investigations, which don't begin until after initial hints of a breach are discovered," she said.

An individual immediately warned might turn out to unaffected -- or vice versa, said McGraw, director of the Health Privacy Project at the Center for Democracy and Technology. "To make notification meaningful for consumers, you have to give industry some reasonable period of time to investigate," and in some cases, mitigate the damage.

Certain health care related organizations are exempted from the 60-day rule, if disclosing specifics could harm ongoing investigations. 

The new House legislation is expected to stall in the Senate, as have most efforts to rein in Obamacare. 

Federal agencies today are required to inform the U.S. Computer Emergency Readiness Team, part of the Homeland Security Department, about cyber events within an hour. But, according to an audit released this week, complete information from most incidents takes days or months to compile. "US-CERT officials stated they can generally do little with the information typically available within 1 hour and that receiving the information at a later time would be just as useful," the Government Accountability Office reported.

For example, after learning in April 2012 that a hacker attacked a contractor’s computer, it took the Federal Retirement Thrift Investment Board more than two months to verify which individuals were affected and then notify the 123,000 federal employee retirement plan participants. An hour after confirming the hack affected personal information, agency officials were still in the process of determining how much information and the extent of the risk, according to the GAO. 

Get the Nextgov iPhone app to keep up with government technology news.

(Image via Brian A Jackson/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.