Software Integrity Blog


The split views on the 30-day data breach notification laws

This week there has been much conversation around President Obama’s proposed law calling for organizations to publically disclose breaches within a 30-day window.

With 47 different laws on the books this would provide uniformity across the states and provide clarity to organizations about what they must do regardless of their or their customers’ locations. Recent high-profile breaches have shown the President how insecure software can “make the economy more vulnerable,” as a result he sees the increasing the protection of privacy and public disclosure of breaches a necessity.

While many are in favor of the President’s proposal there are some criticisms about this plan. As Synopsys’ Drew Kilbourne points out in Maria Korolov’s CSO article, “a rush to disclosure can sometimes hamper research by law enforcement and other parties.” “Often breaches are not immediately disclosed in order to not tip off the attacker that they have been discovered, allowing time to study the attack to learn about new or evolved tradecraft and attack vectors and perform attribution.”


More by this author