In the last episode of the Cyber Second Podcast, we talked about the confusing patchwork of rules and laws – state, federal, global – dictating data breach disclosure rules. The common thread in nearly all of the existing regulations is that the disclosure clock starts the very moment that a company becomes aware of the breach. But when does someone truly know something, and who needs to know to establish that the company knew they were impacted? Does the clock start when the first log anomaly is detected by a member of the security staff, when the CEO is formally briefed, or when the forensic investigation proves a breach really occurred?

Certainly, businesses have a desire to truly understand what - if anything – has occurred before they communicate it to customers. But what about the desire of the customers? How long will it take an attacker to monetize the data and automate phishing attacks, or do something with the information that is bad for the consumer? The business may be impacted, but it seems the true injured party in a breach is not the company, but the person whose data was stolen.

In this podcast, Adrian Lane, analyst and CTO at Securosis, asks us to change our perspective as he answers some of our most pressing questions – and addresses our key concerns – around data breach disclosure. 

Laura Paine is a senior web content developer at CA Veracode, focused on research, product and current events. She is a contributor to CA Technologies blog and repsonsible for publishing CA Veracode's State of Software Security Report. Prior to taking this position in content marketing, Laura was the global public relations and analyst relations manager for the business unit.  Follow Laura on Twitter and LinkedIn.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu