Regulatory Developments

Last updated: 
3 months 3 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

How (not) to respond to a data breach

Wednesday, June 22, 2016 - 11:51

With the number of data breaches still increasing, all organisations should be making plans for their response when, not if, it happens to them. At the FIRST conference, Jeff Kouns of Risk Based Security suggested learning from examples where the organisation’s response, or lack of it, had made the consequences of a breach much worse, both for the organisation and its customers.

The first lesson is to detect breaches quickly. This seems obvious, but the average length of time to discover a breach is still many months: one US financial institution took three and a half years to detect unauthorised access to its customer files. Not only does this delay give attackers ample opportunity to do lasting harm, but by the time the breach is discovered the organisation is unlikely to still have the information needed to work out what happened and how far the impact extended.

And when a breach is discovered, you do need to find out how it happened and fix the root cause. Failure to do so results in, at best, a steady trickle of increasingly bad news as new consequences are discovered. At worst you could miss the opportunity to fix a vulnerability when it exposed eighty-eight usernames and passwords, only to have it later exploited to access the personal data of more than two million people. Repeated data breaches look particularly bad.

Communication around an incident makes a big difference to how well or badly it turns out. Although we seem to be slowly understanding that it's not a good idea to respond to vulnerability reports with legal threats, that seems still to be a depressingly common response to reports of security breaches. If you shoot the first messenger, the next person to find the vulnerability might be more willing to exploit it to cause real harm. When a breach happens, those affected will want to know what they can do, so don't announce that you are turning off your telephone system because it can't handle the load. And if you're a regulated organisation (and under the General Data Protection Regulation we all will be from May 2018) talk to your regulator: they're likely to be less sympathetic if they learn of your breach from someone else.

incident response
#FIRSTcon16
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo