Justice Calls for Breach Reporting LawQuick Notification Vital to Capture Assailants
"Immediate reporting of incidents to law enforcement is vital to law enforcement's ability to investigate large-scale data breaches," Deputy Assistant Attorney General Jason Weinstein said in testimony Wednesday to the House Committee on Oversight and Government Reform's Subcommittee on Information Policy, Census and Nation Archives.
Weinstein, in his prepared testimony, said that immediate reporting relies on each potential victim company's ability to promptly detect an incident, but experience shows that prompt detection will not itself result in a report from the victim company.
He said data breaches are significantly underreported, and as a result, law enforcement efforts to bring criminals to justice are significantly hampered. "If law enforcement never learns of the incident, we will not be able to investigate it; if we hear about it too late, we may be unable to preserve critical evidence or identify the perpetrators," he said.
Weinstein said authorities successfully tracked down perpetrators of high-profile data breaches as the direct result of immediate information from victim companies on how the hackers entered and exited their systems, including the specific IP addresses used in the attack. One example he cited: the restaurant chain Dave & Buster, in which hackers last year installed so-called packet-sniffer software on point-of-sale serves to log details on thousands of payment cards.
But Weinstein suggested the Dave & Buster case an exception of companies reporting breaches, so Congress should enact legislation to compel such action. He said any legislation should contain provisions to ensure that breaches are reported to law enforcement prior to notifying individual victims, and to permit law enforcement to seek delayed notification, so that law enforcement has sufficient time to preserve evidence and investigative leads.