Hey SEC, it’s Frank Kenney at Ipswitch. I don’t mean to rock the boat but I had a few quick questions regarding your recent announcement that you are requiring companies to notify their customers of a breach or risk of breach.
- What’s a “breach”? Does it mean the bad guys came in and took the data? Or maybe the data was left unencrypted? Or perhaps an executive lost his or her BlackBerry? Wikipedia talks about breaches of confidence, breaches of contract and breaches of faith. Is it all or none of the above?
- What does “notify” mean? Email? Snail mail? SMS? Press release? Facebook status update? Tweet? We just don’t know. And when do they need to send that out? When it happens (or it happened?) When it was discovered? When it was fixed? This is key and I say this because the breaches that happened were reported months after they actually happened. So when?
- And by “customers”, do you mean people who pay for my services? What if my services are free like social networks? Does free = exempt? What if I give you my email and contact info, does that make me a customer?
- What in the world is “risk of breach” and why shouldn’t I just fix it instead of telling my customers?
If you don’t mind I’d like to give the public in general my 2 cents…
The real story is this: we should all take these breaches seriously because at some point they will impact us individually. We must make it crystal clear to our service providers, our Internet providers and in some cases our employers that there needs to be policies and enforcement around the proper use and retention of our private information. We must also make clear that these same providers must put processes in place to better communicate and resolve any future data breaches. In much the same way we now see consumers making purchase decisions based on the carbon footprint of their suppliers/providers, the same approach will be taken when it comes to private confidential information. We at Ipswitch believe putting a secure managed file transfer solution in place will allow these suppliers to stem breaches by giving them visibility into how data is being accessed and for what purpose BEFORE these breaches happen.