When things are moving just a bit too quickly. . . the whirlwind of data breaches!
I’ve just coined a new term – at least I think I can take credit for it – and remember, you heard it here first: “Breach Speed” . I derived it from the dramatic speed at which data breaches are occurring. Borrowing from the Urban Dictionary, I’d see it something like this:
Breach Speed: A measurement of the lightening pace at which new events unfold.
Person A: Dude, I just met her last night and she’s already got me meeting her parents.
Person B: Oh man, you guys are moving at Breach Speed!
It seems that every time you turn around there’s some new data breach – and if there isn’t a real new one, you can bet that one of the one’s that happened last week will suffer an after-shock – you know, like when people find out that it isn’t just the “big breach” of 77 Million users at Sony’s Playstation Network that the new “security officer” is going to have to take care of (see: Sony boosts security after apologizing for breach), but also the compromise of 25 Million user accounts of the Sony Online Entertainment network that was reported just two weeks later (See: Sony Breach Gets Worse as 25M More Accounts Hacked). Oh, and just ‘cause Canada always likes to be seen to participate (I can say that ‘cause I’m Canadian), they ante’d up with their own little contribution to Sony’s woes last week with a small, though I’m sure heartfelt, little breach of 2000 names at Sony Ericsson’s joint venture in Canada, see: Sony Battles Canada security breach (although, to their credit, Canada again upped its contribution at the end of the week with news of the hack of Honda Canada, See: Honda Canada breach exposed data on 250,000 individuals).
What got me on this today was an article from a couple of weeks back on BankInfoSecurity.com that I just finished reading that raises the idea of “Breach Fatigue”. (See: Battling Breach Fatigue). There you go folks, two cool phrases in one blog post – doesn’t get much better!
The article pointed to RSA, Epsilon, Sony and LastPass as recent examples of successful hacks; although, just in the last week and off the top of my head, I would add Lockheed Martin, Bank of America, and of course Honda Canada. The article suggests that these breaches are happening so quickly – that people believe there’s not much they can do about them, that businesses are not sufficiently penalized (the financial impact is marginal), and that consumers are generally protected – that breach fatigue is setting in.
And this is where the concept of Breach Fatigue blends with my own Breach Speed: as Neal O’Farrell, founder of the Identity Theft Council says in the BankInfoSecurity article, “There are so many breaches; it’s just so easy for one breach to disappear in the cloud when a new one emerges.”
The vendors quoted in this article (ThreatMetrix and Tenable Network Security) come up with an interesting suggestion: the idea of ranking the seriousness of a breach – analogous to categorizing the strength of a hurricane. . . you know, 5 for a Katrina, 5 for an RSA, Epsilon or Sony, maybe a 3 for the Honda Canada one!
But much more important than this, a couple of weeks back the White House released a legislative proposal for Cybersecurity. Among a broad range of measures, the proposal included a call for a federal breach notification law and criminal penalties for cybercrimes. It also included a proposal to simplify and standardize “the existing patchwork of 47 state laws”.
It’s unclear at this point in time where President Obama’s cybersecurity proposal will go – frankly, if it runs the path of the FFIEC’s long-anticipated proposed supplementary guidance to its 2005 “Authentication in and Internet Banking Environment”, it will be somewhat disappointing given how long that one is taking to show up. But it’s early days and the visibility alone that this proposal adds to constructive steps being made around data breaches and cybersecurity is important.
Now, I realize to some of you that this may sound like my oft-criticized “at least it validates the market” sort of message – but in this case, “validation” is clearly not what’s required. It’s leadership and effective measures to protect the government, companies and individuals from data breaches that’s important – so let’s hope that some of these things start to move at Breach Speed.