[ISN] Organizations Rarely Report Breaches to Law Enforcement

From: InfoSec News <alerts_at_private>
Date: Wed, 31 Mar 2010 00:00:37 -0600 (CST)

By Kelly Jackson Higgins
March 30, 2010

Most organizations hit by breaches that don't require public disclosure 
don't call in law enforcement -- they consider it an exposure risk, with 
little chance of their gaining any intelligence from investigators about 
the attack, anyway.

FBI director Robert Mueller has acknowledged this dilemma facing 
organizations that get hacked, noting in a speech at the RSA Conference 
last month that disclosing breaches to the FBI is the exception and not 
the rule today. But the FBI will protect victim organization's privacy, 
data, and will share what information it can from its investigation, he 
said, rather than continue with the mostly one-way sharing that 
organizations traditionally have experienced when dealing with the FBI.

Gary Terrell, president of the Bay Area CSO Council and CISO at Adobe, 
says different companies have their own rules about reporting to law 
enforcement. "[Many] won't talk to law enforcement without an NDA 
[non-disclosure agreement]," says Terrell, who was speaking on behalf of 
the Council. "The FBI has a hard time signing it. That hasn't been 
successful so far, so sharing with the FBI has been minimal."

He says the feds have their own communications "protocol" for sharing 
classified information, but they don't have a standard and confidential 
way to work with the private sector on breach investigations. And until 
the feds can work with NDAs, there won't be much back-and-forth between 
companies and these agencies about breaches, he predicts.


Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
Received on Tue Mar 30 2010 - 23:00:37 PDT

This archive was generated by hypermail 2.2.0 : Tue Mar 30 2010 - 23:04:26 PDT