Shostack + Friends Blog Archive


Department of Justice on breach notice

There’s an important new report out from the Department of Justice, “Data Breaches: What the Underground World of “Carding” Reveals.” It’s an analysis of several cases and the trends in carding and the markets which exist. I want to focus in on one area, which is recommendations around breach notification:

Several bills now before Congress include a national notification standard. In addition to merely requiring notice of a security breach to law enforcement,200 it is also helpful if such laws require victim companies to notify law enforcement prior to mandatory customer notification. This provides law enforcement with the opportunity to delay customer notification if there is an ongoing criminal investigation and such
notification would impede the investigation. Finally, it is also helpful if such laws do not include thresholds for reporting to law enforcement even if certain thresholds – such as the number of customers affected or the likelihood of customer harm — are contained within customer notification requirements. Such thresholds are often premised on the large expense of notifications for the victim entity, the fear of desensitizing customers to breaches, and causing undue alarm in circumstances where customers are unlikely to suffer harm. These reasons have little applicability in the law enforcement setting, however, where notification (to law enforcement) is inexpensive, does not result in reporting fatigue, and allows for criminal investigations even where particular customers were not apparently harmed. (“Data Breaches: What the Underground World of “Carding” Reveals,” Kimberly Kiefer Peretti U.S. Department of Justice, Forthcoming in Volume 25 of the Santa Clara Computer and High Technology Journal, page 28.)

I think such reports should go not only to law enforcement, but to consumer protection agencies. Of course, this sets aside the question of “are these arguments meaningful,” and potentially costs us an ally in the fight for more and better data, but I’m willing to take small steps forward.

Regardless, it’s great to see that the Department of Justice is looking at this as something more than a flash in the pan. They see it as an opportunity to learn.

2 comments on "Department of Justice on breach notice"

  • Well now, it’s ’bout time for some federal action, eh?
    I like how they differentiate themselves from typical customers; who knew law-enforcement could be so inexpensive, free of alarm fatigue, and willing to act even where harm is not clear. Maybe it’s just me, but that does not sound like the law enforcement I am familiar with.

  • Nathaniel H. says:

    I think it will be a great day when breach data is available in a repository easily accessible to academics (sorry, only mentioning them due to personal bias). Doing some solid research using anything centric to law enforcement, whether it be digital forensics or breach data, is very difficult. I find the “If we let this information out for everyone to read, it will only help the bad guys” excuse somewhat played out.

Comments are closed.