Justice Calls for Breach Reporting Law

Quick Notification Vital to Capture Assailants
Justice Calls for Breach Reporting Law
A senior Justice Department official asked Congress to enact legislation to require companies to report breaches of their computer systems to law enforcement officials.

"Immediate reporting of incidents to law enforcement is vital to law enforcement's ability to investigate large-scale data breaches," Deputy Assistant Attorney General Jason Weinstein said in testimony Wednesday to the House Committee on Oversight and Government Reform's Subcommittee on Information Policy, Census and Nation Archives.

Weinstein, in his prepared testimony, said that immediate reporting relies on each potential victim company's ability to promptly detect an incident, but experience shows that prompt detection will not itself result in a report from the victim company.

He said data breaches are significantly underreported, and as a result, law enforcement efforts to bring criminals to justice are significantly hampered. "If law enforcement never learns of the incident, we will not be able to investigate it; if we hear about it too late, we may be unable to preserve critical evidence or identify the perpetrators," he said.

Weinstein said authorities successfully tracked down perpetrators of high-profile data breaches as the direct result of immediate information from victim companies on how the hackers entered and exited their systems, including the specific IP addresses used in the attack. One example he cited: the restaurant chain Dave & Buster, in which hackers last year installed so-called packet-sniffer software on point-of-sale serves to log details on thousands of payment cards.

But Weinstein suggested the Dave & Buster case an exception of companies reporting breaches, so Congress should enact legislation to compel such action. He said any legislation should contain provisions to ensure that breaches are reported to law enforcement prior to notifying individual victims, and to permit law enforcement to seek delayed notification, so that law enforcement has sufficient time to preserve evidence and investigative leads.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.