Industry pushes back against India's data security breach reporting requirements Opposition is building to India's recently introduced rules on reporting computer security breaches, which have come under fire for being impractical, ineffective, and impinging on privacy. The rules were introduced without fanfare in late April by CERT-In, the nation's government-run computer emergency response team that has …
"if enough execs lose sleep over it"
They probably won't. The IT department will most likely be guided 'unofficially' towards delaying discovery.
However 6 hours is objectively much to short. The actual process of discovery (including confirmation with reasonable confidence of being right) can take days at least. Even the general 72 hour rule has apparently caused massive over-notification of trivial incidents in the UK (reported by the ICO). The deadline can be reached before anyone on site really knows what happened yet, leading to vague or inaccurate notifications or mis-assessment of the significance of events.
Considering that the time between data breaches occurring and their discovery is commonly still in the order of 100s of days, both limits seem a bit disproportionate.
I work in the NHS. We report confirmed breaches or those we cannot quickly confirm to the ICO within 72 hours as the alternative is the ICO criticising us for being slow, not taking out responsibilities seriously enough etc.
This just increases our workload and theirs, they are chronically slow to respond now compared to 2017 and before. They don't have the capacity to manage, yet their own guidelines mean we have little option but to do so.
We have no issue logging these incidents or suspected incidents though, but the quality of the follow up investigations is dire and our own internal processes tend to be far more rigorous.
Health services get a lot of stick for reporting the most incidents, but that's just the culture within the NHS - best to report and learn (especially medical mistakes, dosing errors etc) than to ignore and cause harm. The same cannot be said for any other area of the public or private sector. It will always be high because we are more cautious.
You also forget reporting of incidents is a mandatory part of the DSPT for NHS organisations and was for its previous iterations under the IG Toolkit.
That's one reason why the NHS has always looked bad from a data security standpoint, they were the only organisation (and I use that collectively for all parts of the NHS) that was required to report its breaches.
In terms of the 72 hr reporting requirement the ICO take quite a pragmatic view in my experience and are happy as long as a basic notification if filed within 72 hrs and you can then update it after the window with more details.
It has to be a coincedence that just as the UK have been talking to the Indians and "negotiating" new deals the Indians come out with something similarly convoluted to the UK's right to snoop laws ... "These 500 clauses mean we guarantee protection against misuse of individual's data, we guarantee the privacy of individual's data ... oh and clause 437.1.1.2.b subsection Q just allows us to legally snoop, slurp, store and track all your data without just cause or a warrant, share it with who we like and do it all with no oversight or legal comeback (apart from the threat of being sent a stern memo for being naughty every year by a Government appointed Data Overseer)"
It's not "written in stone". It's a best practice, not a standard or law.
It's best practice because it takes time to assess whether a portscan or DoS or other event is actually a breach, much less one of any significance. As it is, as someone mentioned upthread, even after 72 hours we get a lot of noise with insignificant events being reported. Scans, DoSes, and other automated attacks happen all the time. Reporting all of those makes it impossible to separate the wheat from the chaff; it's worse than not reporting at all.
"my bank is hacked" is a meaningless phrase. It has no technical meaning. What matters are breaches and damage done, what's known and suspected and with what probability, what risks are present, what contingency plans are in place -- technical specifics. Your bank is "hacked", for some meaning of the term, every day, probably every hour. Everything on the public Internet is, to a first approximation. The public Internet itself is, with invalid BGP routing advertisements and the like (which number in the thousands per day).
It's a harsh world. Panicking at every little thing does not help.
I have severe doubts that CERT-In will be able to handle the load. I suspect they have limited software in place to act on the data. And I don't know how useful they will be in assisting with successful hacks.
But, quicker reports of hacking attempts, successful and unsuccessful, are objectively a good thing.
Ideally, given good software and processing power, this could lead to warnings like 'DDOS attacks are targeting freight companies in New Dehli' which would alert those who have not been hit and assure those who have that they were not individually targeted.
In successful hacks, this could lead to quicker actions instead of postmortems.
And as a consumer I definitely want to know if a company I do business with was hacked well before the company figures the hack out and starts the PR process.
Besides, if the tech behemoths are against it, it's probably an idea with some merit.
But, quicker reports of hacking attempts, successful and unsuccessful, are objectively a good thing.
I'm afraid that's simply incorrect. Faster and more voluminous reporting of attacks is not an absolute good.
For reporting to be of any use whatsoever, it has to be limited as much as possible, to a high probability, to events of interest. The vast majority of "hacking attempts" under any reasonable definition (as I noted above, phrases like "hacking attempts" are largely meaningless, but let's pretend they correspond to some useful concept) should most definitely not be reported. If we insist on reporting them, companies might as well run a client that just sends a continual stream of reports to the observer; that would be equivalent and more efficient.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
