How Long Is Too Long
If you’ve never received an email letting you know your data was compromised, consider yourself lucky. I’ve had three within the past five years (one of which was within the past week). They’re all the same; carefully worded non-apologies about the leaking of your personal information.
A lot of the time, the notification comes months after the breach is discovered. The company spends the first weeks and months trying to secure their systems, then talking to lawyers, police, their board, etc about what the best course of action is for litigation or mitigation. Next they spend time regathering all their information and reconfiguring their security. Finally, you’re notified. The process takes months.
In the case of Bannock County, Idaho, the time span was 8 months to be exact. In June of 2020, the Bannock County Courthouse was the victim of a data breach that affected 1,500 people in 12 states. Last week, the county began mailing out notices for people whose address they had on file.
Looking at that timeline begs the question; how long is too long?
Notifications for the theft of your personal data try to downplay the severity. They often tell you that there’s no reason to think any of the compromised data has been used. But how can that be tracked?
After 8 months (or 4 months or a year) without knowing that your information was exposed, there’s no way to go back and look at every event that may have been a repercussion. Did your credit go down 15 points? Have phishing emails increased in your inbox? Did your bank or credit card notify you that there was unusual activity? Are you now receiving more spam calls?
It’s a possibility that all of these or none of these could be a result of a data breach. The problem you encounter, however, is that you can’t go back and look at every event. It isn’t possible to investigate, and that’s what the entity that was breached is hoping.
No business, educational institution, or government office wants to be responsible for your identity theft. They’re already spending money to fix the problem, they certainly don’t want to deal with a lawsuit on top of it.
It’s easy to become frustrated and demand for the information to be sent out immediately. Don’t get me wrong, I agree it should, but there are reasons why an organization may keep it secret for a long stretch of time.
There’s a stigma surrounding attacks. Whether it’s a disgruntled employee accessing company information or a ransomware attack, the victims often blame each other. It’s easy to point to an organization, like Bannock County, and get angry at the leaking of personal information.
Like I mentioned previously, organizations don’t want to deal with backlash. This is a major reason why most wait until everything is back in working order to announce any disruption. It’s easier to say, “all this time and nothing’s happened,” than it is to say, “hey, we have to monitor your identity now.”
There is some weight to the stigma of a data breach. Almost every time, it’s a result of human error. An employee with limited technical knowledge could have clicked on a phishing email link. Maybe a password change wasn’t done as scheduled. Administration could have forgotten to disable a former employee’s credentials. Whatever opened the door, however, was most often because of a person’s misstep.
Someone will argue that I can’t be sure that almost all security breaches are due to human error. That person would be right. I can’t be sure. And that’s mostly because there’s such a lack of transparency when security is compromised.
The Transparency Revolution
Currently there’s almost no regulation on security related events. Whether it’s an inside data breach or a ransomware attack perpetrated by a well known piece of malware, there are no guidelines on what to do afterwards. Everything is left up to the organization’s discretion.
In Europe, some are arguing that paying the ransom should be illegal. Among other issues, paying a ransom only makes the idea of ransomware more attractive to criminals. It also allows there to be even more secrecy around attacks.
Some have called for the outlawing of Bitcoin. Since it’s unregulated and the favorite payment method of criminals, they reason it removes the ability to pay. (This isn’t a great solution. There are over 1,600 forms of cryptocurrency and another one will rise if Bitcoin falls.)
Many people advocate for the increase in security, security training, and standards of protection. I’m on this train. The more real and valid education you have on ANY subject, the better you’ll be equipped to deal with it. Increased security is never a bad idea.
We could argue specifics until we’re blue, but one thing we should all agree on is increased transparency. Along with an increase in transparency, would be strict timelines for notifying the real people who are compromised when these events occur. That’s a starting point.
Humans learn through observation. We can’t learn if we can’t see what’s happening. Whether that’s the inner workings of the security system that was in place when the attack happened, or the knowledge that we have to monitor our personal identity for possible compromises, it all comes down to knowing the specifics. Transparency really is key to defeating security breaches.
You Don’t Know What You Don’t Know
We’re getting a little better every day. We learn a little more. If you’re a regular reader, you should know some tips for spotting phishing. You’re also getting better at securing your personal information. The more you learn, the safer you get.
But we don’t know what we don’t know. When the timeline between a breach and notifying people is so long, it’s hard to backtrack. So that’s our hurdle. We have to push for regulations that mandate how long an organization has before they notify people. It’s up to us to demand better stewardship of our sensitive information.
Join the conversation. Leave a comment below or hop over to one of our social accounts to talk about your experiences with data breaches and what ideas you have for keeping America more secure.
Until next time, stay safe out there.