The growing incidence of breaches to extract user customer account credentials and more expansive breach notification requirements put enterprises between a rock and a hard place. They are subject to the cruel logic that a breach of one provider can result in the compromise of customer accounts at another because of user password reuse — with regulations becoming more demanding in order to narrow the window of opportunity for this cruel logic to play out.
But as recent breaches have illustrated, enterprises generally find out which accounts have been exposed when attackers put user credential dumps up for sale. Not only do these scenarios set in motion panic mode, enterprises are then compelled to issue a blanket breach notification to all customers — even further damaging customer confidence and trust. In some cases, those receiving the notifications may not even be current customers. And as recent activity by Twitter shows, companies may have to go through the equivalent of a breach notification even in the absence of a breach.
In anticipation of a breach and user credentials finding their way to hacker marketplaces for sale, enterprises need to take proactive stance and have a response plan in place — rather than being caught flat-footed by external catalysts. Mapping customer identities to their personal data wherever it resides, and maintaining a central view of what data belongs to whom is the foundation for a sane breach notification plan — and can help avoid having to issue blanket notifications.
Minimizing breach impact through timely notifications
Most responsible enterprises are already on the path of centralizing user data and hashing and salting passwords. But user accounts can be compromised without attackers breaching the user data repositories. Attackers can postulate user names and passwords by correlating data from other breaches, and then launch automated attacks to discover what combinations work. This is precisely why Twitter recently counseled users to reset their passwords — even though their own systems had not been breached, but cybercriminals had made available for sale Twitter handles and credentials.
Complicating the picture for many enterprises is that they can’t consistently map which user accounts have been exposed, or more seriously, which accounts are likely to have been compromised. Instead, in order to comply with breach notification rules, they must alert all customers that could have been potentially impacted.
At the same time, breach notification laws which have been in place for some time, especially in the health care vertical for example, are getting more explicit and stricter because regulators see this trend undermining the systemic integrity of digital business — not just affected enterprises.
In fact, legislation is on the docket in states such as California and New York that would mandate specific security measures to protect password information — along with setting up fines if enterprises don’t disclose the breach quickly enough. Also, proposed breach legislation is taking a more expansive view of what constitutes personal information, including medical, insurance or biometric data. Illinois recently joined California, Florida and Nebraska, in passing legislations that will require that individuals notified if either their username in combination with a password or security question and answer that would permit access to an online account are acquired without authorization.
Across the pond, the E.U. General Data Protection Regulation now mandates that a data protection supervisory authority is notified of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
Centralize your customer data knowledge, not your customer data
Breach notification procedures are not only time consuming and expensive, they also undermine customer confidence and create reputational risk, especially for enterprises that want to be seen as vigilant custodians of their customers’ data.
Rather than throwing up their hands that a breach is the cost of doing business, or shifting the burden onto users to manage their passwords, enterprises need tools to actively limit the scope of breach notification requirements, and ensure that a plan is in place to respond if user accounts are compromised.
Centralizing user data has its own challenges — and in many instances may not be technically feasible or consistent with regulatory frameworks. Instead, what’s needed is a centralized view of customer identities and their data.
Fragments of personal data are strewn across applications, databases, directories and big data repositories without a central view of what data belongs to whom. Understanding who your users are, and constructing a view into where their data resides provides a foundation for a more granular view into breach exposure risk. With a clear view of the identities enterprises are looking to protect, enterprises can both work towards limiting the scope of personal data covered under breach notification requirements and pinpoint which users are the most risk when third party breaches unfold.
Dimitri Sirota is the CEO and cofounder of the first enterprise privacy management platform, BigID. He previously founded two enterprise software companies focused on security (eTunnels) and API management (Layer 7 Technologies), which were sold to CA Technologies in 2013.