As the US government looks to revise cybersecurity legislation to include harsher penalties for cybercriminals, Web hosts dealing with hackers need to have a plan before an attack hits.
Though most states have breach notification statutes, the laws vary considerably state-by-state. The proposed cybersecurity legislation released May 12 includes a motion to standardize laws that generally require businesses to notify customers if their personal information has been accessed by an intruder.
“There are a couple of bills pending in congress that would require federal breach notifications because it’s getting kind of hard to comply with all these different state mandates,” says David Snead, a lawyer (and a regular contributor to the WHIR) whose Washington-based practice focuses on internet infrastructure providers.
Snead says new laws could change the extent that Web hosts are liable but won’t likely result in less hacking.
The proposed changes include synchronizing laws for cybercrime with those for other types of crime, according to the proposal. For example, cybercrime related to organized crime would also be punishable under the Racketeering Influence and Corrupt Organizations Act.
Snead says hosts need to have a breach notification strategy in place to ensure streamlined communication with customers and authorities.
“There needs to be a notification strategy, both internal and external,” Snead says. “What are you going to tell your customers? How are you going to notify them? What are you going to tell the media?”
“If you have a strategy it makes it easy to provide right information in the heat of the moment.”
While Web hosts usually reach out to authorities when an intrusion is detected, Snead says that it is important for hosts to secure their network first. After the network is secure, Web hosts should determine what their contractual and legal responsibilities are.
“The laws regarding what can and cannot be disclosed in terms of personal data, email data and things like that do not uniformly allow authorities to have access to them,” Snead says.
“You need to keep in mind that law enforcement goals are not always aligned with a host’s legal responsibility.”
Web hosts often want to do as much as they can to cooperate in an investigation, but sometimes take it too far without considering their contractual obligations to customers, according to Snead.
“There is a specific law in the US that prohibits the disclosure of content of email except in very narrow circumstances,” Snead says. “By disclosing it without the proper authorization there’s actually a private right of action so the people whose email was disclosed can sue the host personally.”
While the content of email should not be shared with authorities except under special circumstances, examples of information that can be shared include information about the hack, such as the IP address from which the attack originated.
Recently, Sony came under fire for the handling of its data breach. Hackers stole 100 million users’ private information, and Sony was criticized for taking too long to communicate with its customers. Though it is primarily a customer service and public relations issue, the legal issue should not be ignored. Sony now faces several lawsuits seeking retribution for the compromise of private information.
“Honestly, if there’s a breach, people are going to find out about it,” Snead says. “If you don’t notify people, then they’re going to assume the worst.”