In an article published on Thursday, May 25 on DarkReading.com, WRVB Cybersecurity & Data Privacy Chair Beth Waller chimed in on the importance of a well-coordinated response to cybersecurity incidents. As the article suggests, failure to disclose incidents appropriately can leave chief information security officers (CISO) in hot water – criminally.
Waller is quoted alongside SolarWinds CISO Tim Brown, who survived an epic supply chain attack in 2020 with his business and personal reputation intact. Brown is one of the heavyweights calling for greater clarity in the rules around disclosure.
Pressure for clarity is mounting on all sides. Waller suggested greater transparency and shrinking disclosure windows as added pressure points for CSIOs. Disclosure rules can vary widely based on industry and regulatory agency. As an example, Department of Defense contractors must notify the DoD of an incident within 72 hours. “For international companies, regulations like Europe’s General Data Protection Regulation (GDPR) drive similar timelines,” Waller says. “More and more, a company that wants to keep a data incident quiet cannot do so from a regulatory or legal standpoint.”
State-specific requirements add a layer of complexity for CSIOs on the hook to comply. The Attorney General of Colorado recently clarified its disclosure requirements, a development Waller applauds. “Colorado Attorney General Weiser’s comments provide helpful background on the security considerations state attorneys general will consider in looking at bringing violations under these new data privacy laws,” Waller says.
For more of Waller’s insights and to read the full article, click here.