Keeping quiet when you’ve been hacked might not help anyone. But should companies be required by law to report when they have lost customer data?
If companies are careless with their customers’ data, they run the risk of a fine from the Information Commissioner’s Office (ICO). But what about if they suffer a data breach because of someone else’s criminal action?
There is a proposed EU law which would require organisations to report any large data breach within 24 hours – but it is not enacted yet. Public bodies in the UK are obligated to report data breaches. But there’s a grey area here – not least because it’s not exactly clear whether there would be an overall benefit to making it mandatory to report data breaches – and some argue that it could have a negative impact on security.
Tell us your data breach opinion
This week we have uncovered evidence that shows why businesses can benefit from keeping data breaches to themselves. The ICO will fine them if they confess to them – while security breaches that are uncovered in an ICO audit do not receive a fine. Lawyers in the field have confirmed that firms are keeping schtum for just this reason.
When you are the victim of a hack – as happened with Coca-Cola – it is natural to want to keep it quiet, but the security community say that this approach simply sweeps the issue under the carpet and denies everyone the information they need to keep safe.
On the other hand, mandatory reporting could simply increase the bureaucracy and paper work associated with doing business online, and add an overhead that has little do do with active security prevention.
Let us know what you think in our new poll.