Dive Brief:
- The Office of the Inspector General (OIG) found the Federal Bureau of Investigations' (FBI) "production, dissemination and disposition of cyber victim notifications" application is "incomplete and unreliable," according to a report from the Department of Justice.
- The application, Cyber Guardian, is flawed from "logical and typographical errors," leads sent improperly by agents, failure to index victims with the automated case management system, and failure to notify victims because there wasn't tracking of restricted access cases, according to the report.
- The OIG's report found only two out of 31 FBI agents properly use the "victim notification" lead type, with many using the "action" lead instead. Agents also had difficulty knowing which type of lead to use when multiple tasks are requested in the same lead.
Dive Insight:
Companies have learned the hard way that the victim notification process is just as important as general recovery. Only one in 10 companies is able to process 75% or more of data pertaining to a security event.
An inability to process event-related data speaks to the cybersecurity talent gap because just like the private sector, the public sector suffers uncertain levels of available cybersecurity talent.
The Department of Homeland Security failed to submit its workforce audit to government watchdog, the Government Accountability Office because it couldn't secure "consolidated reports on employee certifications from all DHS components."
The OIG found similar shortcomings in the FBI. Agents are also improperly documenting cyber victim data and without all necessarily input information, there is the potential for cyber victims to be "poorly positioned to defend themselves," according to the report.
Breached companies are still insufficiently notifying their victims. Yahoo's proposed settlement of $50 million in damages was rejected in January because while "providing relief is appropriate, it must be done correctly," said U.S. district judge Lucy Koh in her decision.
Yahoo had largely kept the scope of the breach quiet until its Verizon acquisition in 2016, which added to the perception of mishandling personal data. The company announced a new settlement of $117.5 million Tuesday that's waiting approval by Koh.
The transparency, or lack thereof, for handling breaches has become more of data privacy issue than anything else.
In the heat of GDPR, proposed privacy legislation and further calls to regulate tech, entities in the private and public sector are now hyper sensitive to how and how quickly they notify victims.