In the last episode of the Cyber Second Podcast, we talked about the confusing patchwork of rules and laws – state, federal, global – dictating data breach disclosure rules. The common thread in nearly all of the existing regulations is that the disclosure clock starts the very moment that a company becomes aware of the breach. But when does someone truly know something, and who needs to know to establish that the company knew they were impacted? Does the clock start when the first log anomaly is detected by a member of the security staff, when the CEO is formally briefed, or when the forensic investigation proves a breach really occurred?

Certainly, businesses have a desire to truly understand what - if anything – has occurred before they communicate it to customers. But what about the desire of the customers? How long will it take an attacker to monetize the data and automate phishing attacks, or do something with the information that is bad for the consumer? The business may be impacted, but it seems the true injured party in a breach is not the company, but the person whose data was stolen.

In this podcast, Adrian Lane, analyst and CTO at Securosis, asks us to change our perspective as he answers some of our most pressing questions – and addresses our key concerns – around data breach disclosure. 

Laura Paine is the senior content developer at Veracode, based in Burlington, MA. In this role, she is responsible for research, including publishing Veracode's annual State of Software Security Report, current events, and product content for the company blog. Prior to taking this role in content marketing, she was the global public relations and analyst relations manager.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu