How Yahoo's Breaches Will Shape Security Regulations

Its 2013 attack is the largest ever, and will be a tipping point for legislators


As outrage mounts over the 2013 Yahoo breach disclosed on December 14, the U.S. government is expected to finally confront its problem establishing timely disclosure.

This hack is the largest data breach ever, with 1 billion accounts compromised, about two times the casualties of Yahoo’s 2014 incident. (The company announced that breach just three months ago.) Reports Bloomberg, this latest development “will increase the likelihood of regulators taking public data security enforcement action, privacy and security professionals.”

New York Attorney General Eric T. Schneiderman has already pulled a trigger. He promptly issued a consumer alert, assuring his constituents that his office is “currently examining the circumstances of the breach and Yahoo’s disclosure of the breach to law enforcement.”

In fact, New York has been leading the way since September, when Governor Andrew Cuomo announced state cybersecurity regulation to take effect January 1. It requires financial institutions to have a cybersecurity program, a written policy, and a Chief Information Security Officer on its staff. Smaller banks have already expressed disapproval, saying the rules are “inconsistent with federal rules and put an unfair burden on smaller institutions,” reports cyberscoop.

This comes as a survey of 100-plus security professional reveals that 44% of companies cannot meet expectations set for addressing security incidents. “It is difficult for them to extract the necessary information from unstructured data with their existing tools,” SC magazine reports. “They lack the contextual information that would help transform this data into valuable, actionable information.”

Chart courtesy of Statista

In other words, by the time enterprises figure out something’s wrong (because spotting a breach can take months or years), they don’t always know what to do next. Based on current outcries, initial pieces of governance will likely focus on speed: finding threats quicker and eliminating a lengthy forensics process.

The healthiest first step would be finding a solution that addresses everyone from the IT manager through to the CISO. Security platforms that are as fast as they are smart would immediately translate analytics into a three-dimensional picture of an attack. Detailing when the event occurred, who conspired to steal, which data or networks were breached, and how the thief got there—all empower any member of a security team to report to executive teams and law enforcement alike.

As cybersecurity regulations take shape, it’s just as important that actionable intel can prove proactive compliance. From an C-suite perspective, this helps SecOps define and protect areas of risk, opening them up to efficient collaborations with other departments, such as human resources.

In a statement about the 2013 attack, Yahoo said that it “has not been able to identify the intrusion associated with this theft.” The company also stated that it believes a state-sponsored actor was responsible for the 2014 attack. The years it took to publicly report that incident upset lawmakers so much that six senators demanded that Yahoo detail when it first learned of the breach, with one of those senators calling for a hearing, which has yet to occur.

Spotting threats swiftly is a challenge unto itself, necessary to reduce disclosure time. But companies have also learned that confidence, among both customers and executives, is ultimately built on one bottom line: how a security solution can support an organization’s overall success.