A Government Clearinghouse for Reporting Breach Info?

Breaches and bots share much in common including the damage they do to consumers and the US economy but also the need for government action. At the October 2011 Online Trust Alliance Forum meeting I attended two sessions on breaches. The panelists included lawyers and CSO’s who have been engaged on multiple breaches. I wrote and regularly tested AOL’s breach plan. The discussions and my experience indicate that breaches get reported (unfortunately not all are reported) to multiple groups from the local police department to the FBI, Secret Service, and other Federal/state agencies. This hodgepodge of reporting results in an incomplete view of essential statistics. Data on breaches becomes widely-varied guesses. There needs to be a central government clearinghouse where all breaches are reported. 1-800-DATABREACH. This clearinghouse then collects statistics and parses the cases to the appropriate agency for investigation.

More importantly the hodgepodge of reporting results in the inability to collect information on the cause and the cures which is essential to share with other companies. My experience with Internet crime shows that the bad guys continually exploit the same techniques. The clearinghouse should be sharing data on the exploit and recommendations to prevent the problem from reoccurring.

The clearinghouse also needs to be sharing data about the individuals who were breached so that other sites where the same user authentication data is used can be shut down. In other words it is very common for sites to use an email address as the user ID. Sites have the terrible habit of using email addresses as the user ID for convenience purposes. Consumers have the terrible habit of using the same password on multiple sites. The bad guys know this and once user names are compromised at one site the bad guys are using the same info to compromise individual accounts at financial institutions, ISPs, etc. In fact there is a website in which you can check to see if your email address has been compromised. The clearinghouse should make available to vetted companies the compromised email addresses and passwords so that sites can test the combination and temporarily shut off access before additional accounts get compromised.

Advertisements

About infoguardianangel
The consumer and corporate information guardian angel. Cybersecurity and privacy advice for my clients (and anyone else who cares about protecting their data or their companies).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: