Reporting Breaches to Law Enforcement: Why Timing Matters

Privacy attorney Kirk Nahra of Wiley Rein LLP
The timing of reporting breaches to law enforcement is important because it could slow down an organization’s incident response and internal investigation, says privacy attorney Kirk Nahra.
See Also: Addressing the Identity Risk Factor in the Age of ‘Need It Now’
“How you work with law enforcement on timing is part of the puzzle of what you have to deal with … as a company,” he says. “Your obligations as the company don’t necessarily slow down because law enforcement is involved.” But incident response plans can be impacted, for example, “if law enforcement says ‘we don’t want you to do something'” that could impact evidence.
Sorting Out Obligations
Even when law enforcement is working on a breach case, entities still have their own internal investigation issues to consider, he says.
“Often organizations have to do their own investigations in trying to figure out what their obligations are in connection with their other requirements, such as whether they have to notify a specific regulator … or individuals … or their own business partners,” he says. “Law enforcement’s speed – or lack of speed – is really an independent variable.”
上海:水务环保联合执法查偷排泥浆水 双罚单提高威慑力

Working with law enforcement is potentially helpful to organizations if the entity eventually wants to prosecute a case, or recover stolen data assets, he notes. “You have to factor that in,” he says. “You try to work with law enforcement as one component to your overall breach response.”
In a video interview at Information Security Media Group’s recent Healthcare Security Summit in New York, Nahra also discusses:
Other pros and cons for reporting breaches to law enforcement;
系统被爆出安全漏洞后,要积极利用这一事件,借助媒体通知用户详情,快速发布修复程序以及教育受影响用户才是负责任的组织该走的正道。
Factors involved in decisions to report to law enforcement breaches that involve external actors versus insiders;
The tension involved in deciding to report security incidents to law enforcement while an entity is still determining whether to also report the incident to the Department of Health and Human Services’ Office for Civil Rights.
As a partner at the law firm Wiley Rein LLP, Nahra specializes in privacy and information security issues, as well as other healthcare, insurance fraud and compliance issues. He’s a member of the board of directors of the International Association of Privacy Professionals and was co-chair of the Confidentiality, Privacy and Security Workgroup, a former panel of government and private-sector privacy and security experts advising the American Health Information Community.
乌云安全平台创始人方小顿谈架构师和互联网安全,国内互联网的安全情况与国外相比还是有很大差距的,用户意识跟不上是关键。

猜您喜欢

天翼安全可依赖 中国电信26项成果亮相国家网络安全周
国家安全法-全民安全教育日动画-教授海外遇谍记
网络安全法动漫宣传片 002 国家网络安全的现状与重要性概述
人民日报:金湖“源头工程”打造过硬干部
BITLY SAFEPILLSSUPPLY
商业间谍与黑客参与搜索专利大战 APT攻击让员工信息安全意识