Don't rush companies to disclose security breaches

Congress and attorneys general express incredulity that companies that believe to have been victims of a data breach can't instantly understand if they've been hit, and if so, to what extent. Presumably their intent is to protect the common good but forcing businesses to notify authorities, shareholders, consumers, and others in advance of completed forensics could cause a flood of damaging misinformation — and aid the attackers themselves.

Shopper uses a credit card machine at Target
Getty Images
Shopper uses a credit card machine at Target

Data breach investigation and response takes time. Even expert investigators do not have I-Dream-of-Jeannie-like powers to instantly understand an attack that sophisticated hackers may have taken months to plan, execute, and obfuscate. Incident response is like archeology, not magic. It's a painstaking, scientific endeavor.

In major breaches, it can take a month or two of round-the-clock work to answer: How did the attackers get in and when? What did they view? What did they steal? Are they still in there? Large companies have vast networks of thousands of servers and tens of thousands of workstations, all of which must be scanned for evidence of intrusion. These scans often run overnight, and if new signs of intrusion are discovered, the scans must be run again. It's not unusual to scour the network a dozen times in the course of breach response.

(Read more: Who is more vulnerable to online fraud?)

Investigations are complicated by savvy attackers' use of anti-forensics: permanently erasing, encrypting, or misleadingly modifying relevant artifacts. Plus, initial theories about how the intruder executed the attack, its duration, and scope are often contradicted by evidence discovered as the investigation continues. The answers authorities seek aren't easy to come by.


Vote
Vote to see results
Total Votes:

Not a Scientific Survey. Results may not total 100% due to rounding.

In a recent data breach matter, my firm used eight skilled incident responders to perform detailed forensics on more than 100 servers and workstations that tested positive for infection. This process took well over four weeks, as each machine took between a few hours and a few days to inspect. Then, reverse-engineering the malware took two specialists over 100 hours. Reconstructing the timeline of an attacker's actions can be one of the most time-consuming parts of the process, requiring millions of lines of recorded network activity to be collected and reviewed. Data breach investigation and remediation is complex.

Currently the minimum timing for notification is set in the U.S. by state laws that, in most cases, leave time for complex investigations. I take issue with the recent criticism by Congress that victims aren't announcing breaches sooner than these minimums. Pressuring or mandating immediate answers after a breach is confirmed, but before details are fully known, can be dangerous.

(Read more: Target CIO resigns in wake of massive data breach)

If notification is made before a breach is fully understood, the intruders who still have access may step up efforts to steal data, install back doors to the network, and delete evidence. A comprehensive remediation plan, which can only be based on a full understanding of the attack, can be stymied. The company and consumers could lose control of even more valuable information. Having time to privately plan and execute effective containment protects all victims.

Announcing a breach too soon can also cause a harmful dissemination of misinformation. Most companies victimized by a breach understand that once a breach is confirmed, a clock starts ticking down the acceptable period in which they ought to have more information. The company must put tremendous resources behind quickly finding answers. But it can be difficult to rebuff inquiries from regulators, shareholders, consumers, counter-parties, and the media. Rushing public statements can result in vague or inaccurate disclosures. Those disclosures will later have to be corrected, and who will be blamed for getting initial information wrong? The victimized company, of course.

(Read more: Target CEO defends four-day wait to disclose massive data hack)

Authorities, stakeholders, and consumers understandably want as much information about an attack as soon as possible. But compelling instantaneous answers — disregarding how long the science and process actually takes — abets the attackers, obstructs investigators, and proliferates misinformation. The people are best served when their defense is based on fact and the realities of science and time, not by blind demands.

Eric Friedberg is executive chairman at Stroz Friedberg, a digital-forensics firm. Follow the company on Twitter @strozfriedberg.