Microsoft’s Johnson: Data Breach Disclosures a Delicate Balance

Whether it’s the Equifax breach or the more recent Facebook breach, consumers are steeped in data breach news and notifications. During the Washington Post’s Cybersecurity Summit | 2018, Cat Zakrzewski, a technology policy reporter at the Washington Post, sat down with Anne Johnson, corporate vice president of the Cybersecurity Solutions Group at Microsoft. They discussed both some of the common mistakes enterprises make today when it comes to data breach disclosure and how enterprises struggle to find the right balance between speed of disclosure and the consumer’s need to know.

Breaches impact consumers and corporations on a daily basis, said Johnson. “One of the things that we find is companies are not always as disciplined as they could be with rigor around cybersecurity controls. I’m not talking about the acquisition of new technologies or new tooling: I’m talking about the use of things like multi-factor authentication, and the use of passwords for their domain environments,” she said.

Ann Johnson,corporate vice president of Microsoft’s Cybersecurity Solutions Group

Johnson pointed to poor hygiene issues with enterprises as being too common. These include password sharing and password reuse as well as weak passwords as areas bad actors regularly exploit.

When it comes to whether businesses are correctly budgeting for security, Johnson said companies are spending—and their spending has been rising every year for the past five or so years. However, she noted, they may not be spending wisely.

“I think we as an industry can do better on education,” said Johnson. While there is considerable spending on security tooling, companies aren’t spending enough on awareness, especially considering how many generations are active in the workplace today. “Some of them [older workers] are not digital natives, and some of them didn’t start with technology,” she said.

Another area where enterprises struggle, especially in light of new data breach regulations that mandate disclosure, is data breach notification. This came to light recently with the Facebook breach, which, as Zakrzewski pointed out, was one of the first significant breaches since the EU’s Global Data Protection Regulation (GDPR) went into effect.

“Facebook disclosed it (their breach) within three days. What impact do you think the new rules with GDPR and breach notification will have on industry?” Zakrzewski asked.

“It’s an interesting question,” Johnson said. She pointed to some things that Facebook got right in its response. However, Johnson warned, organizations must use caution in their disclosures. “Like any investigation, it doesn’t just happen overnight. You have this balance of needing to notify, but you’re notifying with an incomplete set of information and information that is going to dynamically change,” she said.

That balance will be difficult to reach as new data breach notifications and data privacy requirements come online, Johnson said. These organizations will be forced to notify to a large consumer base of people who are not technology-savvy and will have a tough time adequately protecting themselves with incomplete information.

This could, at worst, cause undue panic, depending on how the media communicates it, or it could confuse what consumers should do in the face of the breach to protect themselves. “I think that is the biggest challenge to corporations right now,” she said.

Johnson noted the most significant impact of GDPR will be upon breach notification laws, citing similar laws under discussion in the United States and around the world. Companies will have a challenging time because they will have to change how they conduct their incident response investigations dynamically.

Because of Microsoft’s strong stance on privacy and customer data, Johnson said the company could, at times, notify beyond what is actually required by the breach motivation mandates. “Providing the information that is required under the breach notification doesn’t necessarily give the consumer the information they need to protect themselves online. You want to give the maximum amount of very descriptive and prescriptive information at the soonest point you can, while also being compliant,” she said.

George V. Hulme