The Homeland Security Department should establish a national standard to encourage companies and individuals to report data breaches to federal authorities, helping them gauge the intensity of cyberattacks and investigate cybercrime, security professionals said on October 28. Federal agencies are required to report data breaches to the U.S. Computer Emergency Readiness Team, which is part of DHS. Reporting requirements for companies, however, vary by state.
California was the first state to pass a law requiring companies to disclose when unencrypted personal information in their databases have been accessed by someone not authorized to view it.
Most states have since passed variations of the disclosure law. A national breach notification system is needed because companies and individuals are the main targets for cyber criminals, whose goal typically is to steal credit card information and bank credentials. According to Symantec’s 2008 Internet Security Threat Report, 90 percent of all threats target confidential information that, once stolen, is sold. Consumers are particularly vulnerable to cyberattacks because one in five individuals fail to protect personal information on their computers and 40 percent do not update or patch their operating systems. Symantec also said rogue security software, which relies on scare tactics to fool users into downloading malicious code by posing as legitimate antivirus programs, is on the rise.
The company identified 250 such programs and received 43 million reports from customers of installation attempts. Because most cyberattacks focus on individuals and companies, a national standard for breach notification would provide a more accurate picture for security vendors and federal law enforcement agents. Companies are reluctant to report incidents of cyberattacks, in fear that they will be held accountable for the data loss and possibly lose business or be fined.