It’s important to note that this is not just a problem between companies and customers or citizens. Notification is no better within many enterprises generally. A recent survey found that nearly 40 percent of U.S.-based, in-house attorneys and general counsel fail to disclose security issues to their board. In such cases, failure of clear governance makes companies — and everyone who connects to them through a network — far less secure.
Regardless of timing, pre-set processes by which companies notify customers of a breach should be part of their post-breach responsibilities. If companies are expected to provide guidance on how to deal with the aftermath, then they should prepare guidance beforehand or within a reasonable period post-breach (and held to account for their inability to provide guidance). At the same time, in order for an enterprise to ensure that its cyber-resilience strategy is effective, there need to be clear rules and timelines for managers to share information with company leaders.
Third, the government’s role in the wake of a breach needs to be more clearly defined. The immediate aftermath of a breach usually centers (generally unhelpfully) on assigning culpability rather than focusing on the victims or on creating policies that would prevent breaches.
The U.S. (like other governments) made a policy choice to give organizations principal responsibility for responding to cyber attacks. Governments, as in other national security matters, could assume principal responsibility themselves or could develop a policy to share responsibility among key stakeholders.
But even as organizations are held responsible, the government’s duty to assist these organizations remains ambiguous. Governments have technical expertise as well as emergency response capabilities that do not have a clear trigger in the current policy environment. At the very least, clear rules and lines of responsibility would help to create reasonable expectations around cyber defense for the private sector.
As cyberattacks continue to increase, the Equifax breach will soon be seen as unexceptional. What will remain exceptional is a culture and policy posture that labors under a dangerous black-and-white assumption where privacy is pitted against security.
Over the past 20 years, there have been ever greater “calls to arms” to tackle cyber security. And yet billions of dollars of market value have evaporated owing to cyber incidents in the last year, not to mention the consumer impact.
That status quo is not sustainable.
Commentary by Daniel Dobrygowski and Walter Bohmayr.
Daniel Dobrygowski, lead for Trust and Resilience, World Economic Forum, is an attorney based in the U.S. whose practice and research includes privacy, security, intellectual property, and regulatory and competition law. He leads the World Economic Forum’s efforts on trust and resilience, focusing on cyber resilience and digital identity, in its system initiative on Shaping the Future of the Digital Economy and Society.
Dr. Walter Bohmayr is a senior partner in the Vienna office of The Boston Consulting Group. He is the global leader for cybersecurity and IT risk, and a member of BCG’s internal Risk and Audit Committee.