Kali on My Mind

Mandatory Incident Reporting

I feel very strongly that the US needs something like the European GDPR to protect consumers and the general public in the digital age. As far as best practices go, it is the gold standard of cyber security right now. One of the most basic (but still critical) provisions in the GDPR is the outline for incident reporting and guidelines on how it should be done and what time table is allowed without penalty.

There is some push to make this required incident reporting into law here in the US. Specifically, critical infrastructure may soon have mandatory reporting laws if it is the target of any type of cyber attack or leak. Why this is not already law baffles me, but hopefully it is an issue that is soon corrected.

Requirements like this should apply to any decently sized breach of security or consumer information. Even just in the last few years Sony, Target, Equifax, and many others have had consumer data breached. And in some cases these companies waited weeks to notify anyone that such a breach had occurred. That is incredibly precious, lost time that gives the malicious actors an even larger head start than they would otherwise have.

Hopefully this small step in the right direction is adopted fully and quickly. And hopefully more common sense measures follow in its wake. But until then these types of practices and requirement should be pushed for by every cyber security professional and every consumer alike. Lets work together to both hold organizations accountable and find ways to prevent similar breaches from occurring again.