The Double-Edged Sword of Breach Notification Laws
10–15–2024 (Tuesday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, October 15, 2024, and we’re all coming back online after both Indigenous People’s Day (formerly Columbus Day) here in the US and Thanksgiving Day in Canada.
We’re coming back to - surprising nobody - some breach news, but let’s take a bit of a closer look and see what lessons we can learn from this event.
The Double-Edged Sword of Breach Notification Laws
Late last week, news broke of an incident at “Fidelity Investments, one of the world’s largest asset managers, [that] confirmed that over 77,000 customers had personal information compromised during an August data breach, including Social Security numbers and driver’s licenses.”
To give you a sense of their size, Fidelity has about $14T in Assets Under Management (AUM), so we’re not talking a small fish here by any stretch of the imagination.
The incident that caused the notification is - as per usual - light on details, with the Sample Breach Notification Letter provided noting only that “Between August 17 and August 19, a third party accessed and obtained certain information without authorization using two customer accounts that they had recently established. We detected this activity on August 19 and immediately took steps to terminate the access.”
Unfortunately, there aren’t any additional details available either on Fidelity’s site or in the breach notification letter. And, likely, if it weren’t for the few state laws requiring notifications (Maine, in this case, as well as Massachusetts and New Hampshire), we likely would have never heard about this incident at all.
Which is unfortunate on a number of levels.
First, we’ve seen a continued trend of companies denying they’ve had an incident or a breach until the threat actors post their data on the ransomware sites.
The latest in this trend is Japanese company Casio, who did this same deny-until-you-can’t move just yesterday. There are a couple of things about this that I don’t like. To start, I don’t like when people (and companies) are dishonest, obfuscate, or hide. I understand why, and can imagine the appeal in those situations, but I still don’t like it.
The other reason I don’t like it is that it encourages threat actors to continue this trend of naming and shaming their victims, leaving them with the power and control in the dynamic.
It really does feel like Fidelity is falling into the same trap here - which is trying to hide the event, only notifying when absolutely necessary, and then offering as few details as possible.
There’s an alternate world where Fidelity chooses to drive this story forward on their own terms as a success. Perhaps these threat actors were able to exploit a vulnerability within their systems. BUT - the attack was caught within a couple of days, the number of users impacted were minimal (for an organization the size of Fidelity), and there were no financial transactions driven out of the attack.
I think you could even go so far as to turn this into a talk track at the security conference circuit for a year. I can hear the RSA Talk promotional materials being put together now!
Instead, we’re back to hiding and minimizing, which doesn’t help anyone get better and continues to allow the threat actors to have the psychological, and in many ways tactical, upper hand.
As you think about how you might handle these sorts of scenarios in your own organizations moving forward, I would encourage all of us to step up to the realities in which we find ourselves, rather than falling back on wishful thinking in these hard moments.
Fundraising
From a fundraising perspective, we can’t have every week be $20B and change. Bit of a reality check this past week, tallying just over $5B in a handful of funds. Perhaps it was just heading into the holiday weekend, or some other reason, but I wouldn’t read too much into it.
Even just today, we’re already ahead of last week in terms of committed capital, so things are indicating a strong October and into the election and the close of the year.
With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.securityweek.com/casio-confirms-data-breach-as-ransomware-group-leaks-files/