recommended reading

Federal, industry reps call for national standards to report data breaches

The Homeland Security Department should establish a national standard to encourage companies and individuals to report data breaches to federal authorities, helping them gauge the intensity of cyberattacks and investigate cybercrime, security professionals said on Wednesday.

Federal agencies are required to report data breaches to the U.S. Computer Emergency Readiness Team, which is part of DHS. Reporting requirements for companies, however, vary by state.

"Responding to each individual state that we operate in can be a challenge," said David Thompson, chief information officer at security software vendor Symantec during a panel discussion in Washington hosted by the technology lobbying group TechAmerica. "Creating a national standard with international coordination is key [to] holding companies accountable for protecting data."

California was the first state to pass a law requiring companies to disclose when unencrypted personal information in their databases have been accessed by someone not authorized to view it. Most states have since passed variations of the disclosure law.

A national breach notification system is needed because companies and individuals are the main targets for cyber criminals, whose goal typically is to steal credit card information and bank credentials, Thompson said. According to Symantec's 2008 Internet Security Threat Report, 90 percent of all threats target confidential information that, once stolen, is sold. Consumers are particularly vulnerable to cyberattacks because one in five individuals fail to protect personal information on their computers and 40 percent don't update or patch their operating systems.

Symantec also said rogue security software, which relies on scare tactics to fool users into downloading malicious code by posing as legitimate antivirus programs, is on the rise. The company identified 250 such programs and received 43 million reports from customers of installation attempts.

Because most cyberattacks focus on individuals and companies, a national standard for breach notification would provide a more accurate picture for security vendors and federal law enforcement agents who are tracking the kinds of threats cyber criminals are launching, said Thompson and Jeffrey Troy, chief of the FBI's cyber criminal unit.

A national standard "for data breach notification would help us tremendously in terms of effectively conducting investigations," said Troy, who noted that the reports would not be used to investigate individual companies. "We don't want companies just protecting themselves, [because] whatever malware [they] get infected with are going to be used against the company next door and the company across the world. Our strategy requires the largest amount of information on attacks."

Companies are reluctant to report incidents of cyberattacks, in fear that they will be held accountable for the data loss and possibly lose business or be fined. To encourage compliance, a national standard should provide protections for companies and individuals who disclose breaches, Troy said.

"Some industries that have rules where [companies that fall] victim to data breaches may face financial penalty," he said. "There are so many ways to break into systems, and such high levels of expertise [among hackers], that it may be important to look at those models to see whether or not they're realistic."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.