Data breach law divides experts

US-style legislation could be a good move according to RSA roundtable attendees

Security experts at an RSA Conference roundtable last week renewed calls for the government to enact a US-style data breach notification law, arguing that it would encourage good practice and force firms to prioritise information security.

Many US states, including California and New York, have security breach notification laws that require organisations to notify state residents if their personal information has been exposed because of a data breach.

Without such laws, major breaches such as the one that led to the theft of credit card details from US retailer TJ Maxx would probably be swept under the carpet in an effort to minimise brand damage and bad publicity.

“It has to be a good thing – it’ll make companies think about how to protect their customers and their brand, and put security at the forefront of their minds,” said RSA’s European business development director, Richard Nichols. “Organisations that want to push their business online have the responsibility to protect data, consumers and the brand as far as possible.”

Chief security adviser at Microsoft UK, Ed Gibson, added that although his firm “has an absolute obligation” to ensure it produces the most secure products possible, he was cautious about any move to force firms to disclose breaches.

Patrick McLaughlin, European director of security at Oracle, called for a more nuanced approach, arguing that firms should be forced to disclose any breaches, but only if the breach was significant and the firm in question had not taken steps to encrypt the information.

RSA’s Nichols suggested that firms might be able to claw back some respect and trust from their customers by responding to a data breach in an open, efficient and responsible way.

Participants also stressed that security is as much a matter of getting the right people and processes in place, as having the right technology. Oracle’s McLaughlin argued that the EU’s efforts to prepare its critical infrastructure for a possible cyber-terrorist attack should not focus solely on technological solutions. “It may not all be solved by that – it’s about people and processes too,” he said.

Tony Lock of analyst firm Freeform Dynamics added that organisations must foster a culture of security, and that this required more investment in training.
“Our research shows that people who are not properly trained are vulnerable,” Lock said. “I’ve had people opening up sensitive RFPs next to me on the plane before – they didn’t know any better.”