Federal, industry reps call for national standards to report data breaches

The Homeland Security Department should establish a national standard to encourage companies and individuals to report data breaches to federal authorities, helping them gauge the intensity of cyberattacks and investigate cybercrime, security professionals said on Wednesday.

Federal agencies are required to report data breaches to the U.S. Computer Emergency Readiness Team, which is part of DHS. Reporting requirements for companies, however, vary by state.

"Responding to each individual state that we operate in can be a challenge," said David Thompson, chief information officer at security software vendor Symantec during a panel discussion in Washington hosted by the technology lobbying group TechAmerica. "Creating a national standard with international coordination is key [to] holding companies accountable for protecting data."

California was the first state to pass a law requiring companies to disclose when unencrypted personal information in their databases have been accessed by someone not authorized to view it. Most states have since passed variations of the disclosure law.

A national breach notification system is needed because companies and individuals are the main targets for cyber criminals, whose goal typically is to steal credit card information and bank credentials, Thompson said. According to Symantec's 2008 Internet Security Threat Report, 90 percent of all threats target confidential information that, once stolen, is sold. Consumers are particularly vulnerable to cyberattacks because one in five individuals fail to protect personal information on their computers and 40 percent don't update or patch their operating systems.

Symantec also said rogue security software, which relies on scare tactics to fool users into downloading malicious code by posing as legitimate antivirus programs, is on the rise. The company identified 250 such programs and received 43 million reports from customers of installation attempts.

Because most cyberattacks focus on individuals and companies, a national standard for breach notification would provide a more accurate picture for security vendors and federal law enforcement agents who are tracking the kinds of threats cyber criminals are launching, said Thompson and Jeffrey Troy, chief of the FBI's cyber criminal unit.

A national standard "for data breach notification would help us tremendously in terms of effectively conducting investigations," said Troy, who noted that the reports would not be used to investigate individual companies. "We don't want companies just protecting themselves, [because] whatever malware [they] get infected with are going to be used against the company next door and the company across the world. Our strategy requires the largest amount of information on attacks."

Companies are reluctant to report incidents of cyberattacks, in fear that they will be held accountable for the data loss and possibly lose business or be fined. To encourage compliance, a national standard should provide protections for companies and individuals who disclose breaches, Troy said.

"Some industries that have rules where [companies that fall] victim to data breaches may face financial penalty," he said. "There are so many ways to break into systems, and such high levels of expertise [among hackers], that it may be important to look at those models to see whether or not they're realistic."