Companies keep silent on data breaches

On the anniversary of the scrapping of the UK confidentiality charter businesses are reluctant to discuss data breaches

One year on from the scrapping of the Confidentiality Charter that let businesses report IT crime in confidence directly to the police, new research by the organisers of the Infosecurity Europe event has revealed that a third of corporate IT security breaches in the UK currently go unreported.

Many of the respondents said they were unsure which crimes are worth reporting, while others chose not to alert the police for fear of brand damage. This concern is likely to have been heightened by the recent example of clothing retailer TK Maxx, which was obliged by US laws to reveal that the card details of almost 46 million customers worldwide had been compromised by a computer security breach.

Jonathan Coad, a media specialist at law firm Swan Turton, said newsworthy breaches are often leaked to the press. “Reporting crime to the police is a double-edged sword as invariably the press has found out about the incident within 24 hours,” he said.

Coad’s comments highlight the loss of the Confidentiality Charter, a consequence of the absorption last April of the National Hi-Tech Crime Unit into the Serious Organised Crime Agency (Soca). The charter was established to encourage more open IT crime reporting by guaranteeing privacy for businesses and offering them a direct link to the e-crime unit.

That was a very different approach to the one adopted by many US states, which have introduced legislation to force firms to go public with breaches affecting the safety of customer data.

Mark Watts, IT partner at law firm Bristows, said that firms might be wise not to disclose information on breaches too early. “In the US we are already seeing ‘breach fatigue’ where consumers are faced with so many notifications they find it difficult to weed out the important ones,” he explained. “Firms should look at the incident and decide if there is a real prospect of data theft. If there is not, why worry consumers?”

Ollie Ross, head of research at user group The Corporate IT Forum, said the reluctance of corporate victims to report IT crime means much of it goes unresolved. “But as the TK Maxx incident has demonstrated, the stakes are very high,” he added.

However, Maxine Holt of analyst firm Butler Group argued that corporate victims not reporting crimes “is of no use to anybody”.