Experts split over the benefits of compulsory data breach notification

By Stuart Sumner
25 Oct 2011 View Comments
NCC Group's Rob Cotton

Companies in the US now have an obligation to publicly disclose details of data breaches they suffer, and there are increasing signs that the UK will have to implement similar rules under proposed changes to the EU Data Protection Directive.

Further reading

The US Securities Exchange Commission (SEC) recently issued a document clarifying a company's obligations with regard to data breaches.

The document stated that firms must disclose known or potential security incidents "if these issues are among the most significant factors that make an investment in the company speculative or risky".

The disclosure extends to admitting the known and potential costs of the breaches.

So should IT leaders welcome the prospect of having to work under a similar regulatory regime in the UK?

Rob Cotton (pictured), chief executive of IT assurance company NCC Group, argues that the UK government should look to implement similar rules here as soon as possible.

"Every individual has the right to know what's happened to their information, and investors have a right to know how their networks and businesses have been compromised.

"That should be advocated by the UK government. At present there is virtually no obligation for UK companies to disclose anything."

Graham Titterington, principal analyst at Ovum, is less certain about the value of compulsory disclosure laws.

"It's not clear cut as to whether disclosure is a good idea or not. The benefit is that it would make companies more security conscious because of the reputational damage that they suffer when the public hears of their breaches."

However, Titterington explains that the down side is that most people don't know what to do with the disclosure information once they've got it.

"Your data may have been breached, but so what? What do you do? Fly into a blind panic or ignore it? Neither reaction is very helpful."

But would the fear of reputational damage drive companies to tighten up their security measures? If so, that in itself might justify new legislation.

Titterington feels that if every company were forced to share details of its data breaches, the very frequency of the information would reduce its sting.

"Data breaches are so commonplace that the damage to the image has lost some of its potency, people just think: ‘Oh it's yet another data breach'.

"The first time you have a data breach people get overexcited, the next time you get data breach fatigue."

However, Titterington did accept that disclosure could be useful for both the public, and investors, to see which companies are repeat offenders.

"I would get very worried if I'd invested money in an organisation which seemed to be a perpetual offender."

Reader comments
blog comments powered by Disqus
Newsletters
Is it time to open Windows?

Computing believes that Microsoft will start offering Windows free of charge by 2017. Is this a good thing for the enterprise?

54 %
17 %
6 %
19 %
4 %