Data breach laws won't help: Verizon

Data breach laws won't help: Verizon

Summary: Contradicting industry calls, a top information forensic specialist has said mandatory data breach legislation will not reduce the number of breaches.

TOPICS: Security

A top information forensic specialist has said that mandatory data breach legislation will not reduce the number of data breaches, despite industry calls for such laws to be introduced.

Broken door

(Broken doors image by Eran Sandler, CC2.0)

Industry figures have been asking for such legislation since the government looked into the issue as part of a national overhaul of privacy laws.

Data breach disclosure laws would aim to force companies to disclose when a breach occurs. The hope is that the disclosure would allow customers to be able to make a choice based on their companies' behaviour. Companies ideally would be shamed to lift their game.

But Verizon forensics investigations response chief Mark Goudie said that when the laws were introduced into the United States, they did little more than trigger a short run of headlines.

He feared that legislation would have a similar effect here.

He said that lifting slack security standards would avert some 85 per cent of data breaches.

If Verizon is to be believed, the lion's share of data breaches are conducted using decade-old attacks and are allowed to continue because of failures in basic security.

SQL injections were one of the most common ways to steal data and log-in credentials, along with custom malware which avoids antivirus detection.

But simple log reviews would help avoid data breaches in 85 per cent of cases, Goudie said.

"We don't need to use FTK or EnCase or anything — everything was in logs."

"It must suck to be at the other end of that."

He said attackers may sniff the network for vulnerabilities or valuable data for up to a year, which can usually be detected by reviewing logs.

Goudie spoke at the Australian Information Security Association conference in Sydney yesterday.

Topic: Security

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Research in USA and EMEA regularly shows a large number of inappropriate data accesses occur internally directly on the business databases. Yet, 99.9% of organisations have no idea who is accessing their databases outside of the applications using these databases. Trusted users, DBAs, outsourcers etc can all be tempted for personal or monetary reasons and in most cases they have unrestricted access to data or even full backups of databases!

    From my experience nobody seems to care about protecting their corporate databases or 'Crown Jewels' unless an auditor is tapping them on the shoulder or they have had a data breach.
    SQL Tools
  • You're joking right? The only way a company will spend ANY time or money protecting sensitive consumer data (like my personal credit card data, or private health information), will be if there is MANADATORY disclosure, and negative reputational risk of admitting the loss to the public.

    Several years ago, Australia implemented 'VOLUNTARY' disclosure laws... how many companies have VOLUNTEERED that they lost my data - that is, other than the bank who kindly cancelled my credit card a few months ago and reissued it several days afterwards. I'd like to know who compromised my account thanks! I'll go to retailers who put the basics in place to protect my money.

    Only until this 'numb nut' has to spend the hours, often days, justifying to his bank that it wasn't really him that had the credit charge, took a loan, or removed funds from his account, will he realise how naive and ill-informed that position is.