Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
Kenneth F. Belva

Another Stab at a Centralized Breach Repository

Kenneth F. Belva writes the column Perspectives of a Security Maverick
By Kenneth F. Belva posted in General August 27, 2007 6:00am

It’s funny how things come full circle. Chris Walsh of EmergentChaos argues that breaches should always be disclosed to the public, despite some expert opinion that they should not. I agree with him: breaches should be publicly disclosed. And, at this time, it’s my belief that:

Breaches should be disclosed to and notifications sent from a central reporting facility to which the public has access.

In the past I argued for a centralize reporting system for breaches (although not necessarily a governmental one). Adam Shostack of EmergentChaos argued that there should not be a central reporting system:

We are seeing great research (and some not so great). We are seeing people apply legal, economic, media, and security perspectives to the data, and new things keep emerging from that. To hand exclusive access to a central agency, absent real harms from the data being widely available, seems unjustified.

Perhaps in Walsh’s post “British House of Lords gets it” EmergentChaos changed their opinion as the UK law mandates:

“A mandatory and uniform central reporting system.”

My suggestion is to fold the notification piece into the central repository. The company would alert the media and public that there was a breach. They then would point the public to the centralized repository for further details.

This achieves an number of ends:

1. The public is still notified.

2. The breach data and details are centralized for the public and for research purposes.

3. It saves the company money in regards to the notifications.

4. In various ways, it may help with compliance issues.

Here’s the downside: notifying the public with a little ad in the back of the newspaper will not be as effective as a direct mailing. It’s how to make the breach awareness effective that is the remaining issue on the notification side of the house.

PS - I realize that Walsh and Shostack are entitled to their own opinions despite writing on the same blog. That’s why I made the authors of each post clear throughout this entry.

Bookmark this post
Sphere: Related Content Print Print
Related Articles:
, , Post a comment or leave a trackback: Trackback URL.

One Comment

  1. Adam Aug 27, 2007 at 12:04 pm | Permalink

    For clarity, I don’t think there was any disagreement. I said “exclusive” access. I don’t think that we should send our data to an agency, who would massage it and give us access to the summaries they see fit to create. I stand by that, and don’t think Chris disagrees with me.

    Also, I don’t recall Lords arguing against individual notice, only for a central report.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*