Experts split over the benefits of compulsory data breach notification

Moves to force organisations to disclose security breaches could just lead to 'notification fatigue'

Companies in the US now have an obligation to publicly disclose details of data breaches they suffer, and there are increasing signs that the UK will have to implement similar rules under proposed changes to the EU Data Protection Directive.

The US Securities Exchange Commission (SEC) recently issued a document clarifying a company's obligations with regard to data breaches.

The document stated that firms must disclose known or potential security incidents "if these issues are among the most significant factors that make an investment in the company speculative or risky".

The disclosure extends to admitting the known and potential costs of the breaches.

So should IT leaders welcome the prospect of having to work under a similar regulatory regime in the UK?

Rob Cotton (pictured), chief executive of IT assurance company NCC Group, argues that the UK government should look to implement similar rules here as soon as possible.

"Every individual has the right to know what's happened to their information, and investors have a right to know how their networks and businesses have been compromised.

"That should be advocated by the UK government. At present there is virtually no obligation for UK companies to disclose anything."

Graham Titterington, principal analyst at Ovum, is less certain about the value of compulsory disclosure laws.

"It's not clear cut as to whether disclosure is a good idea or not. The benefit is that it would make companies more security conscious because of the reputational damage that they suffer when the public hears of their breaches."

However, Titterington explains that the down side is that most people don't know what to do with the disclosure information once they've got it.

"Your data may have been breached, but so what? What do you do? Fly into a blind panic or ignore it? Neither reaction is very helpful."

But would the fear of reputational damage drive companies to tighten up their security measures? If so, that in itself might justify new legislation.

Titterington feels that if every company were forced to share details of its data breaches, the very frequency of the information would reduce its sting.

"Data breaches are so commonplace that the damage to the image has lost some of its potency, people just think: ‘Oh it's yet another data breach'.

"The first time you have a data breach people get overexcited, the next time you get data breach fatigue."

However, Titterington did accept that disclosure could be useful for both the public, and investors, to see which companies are repeat offenders.

"I would get very worried if I'd invested money in an organisation which seemed to be a perpetual offender."

Experts split over the benefits of compulsory data breach notification

Moves to force organisations to disclose security breaches could just lead to 'notification fatigue'

Cotton argues that disclosure should not be viewed as a burden to be placed on companies, but rather as a way of taking collective responsibility for security – sharing and learning from one another's mistakes.

"No one should be afraid of disclosure, we all have to move through cyberspace and breaches happen every day. The more we know about them and the more we do to combat them, the less the probability that something will be stolen.

"So let's not treat this as some form of stigma, let's put it in the public domain and learn from it."

Cotton believes that the idea has opponents in industry, but they are most likely to be companies with less than adequate security in place.

"The firms who won't support disclosure are those which aren't taking active measures to improve security.

"The biggest threat facing business today is the cost and consequence of being hacked. The loss due to industrial espionage and loss of IP is huge."

Just today, a report in the Telegraph cites the story of a firm in Warrington, Cheshire which had the blueprint for its revolutionary wind turbine blades stolen from its servers. The consequences of hacking for this company were as bad as they could be.

The hackers used the stolen IP to produce cheaper versions of its designs and the firm went bust.

And Cotton says that the issue affects the UK economy as a whole, so firms should view this as an opportunity to band together against the common threat.

Part of the Information Commissioner's Office's (ICO) remit is to take action when firms breach the Data Protection Act, but Cotton believes that this is not enough in itself.

"The ICO tends to be a toothless tiger that does not want to stir up the hornets' nest."

He argues that too often the body chooses not to exercise its powers to fine organisations, leading many to question its utility. He concludes that the root of the problem is government itself, which still does not take security sufficiently seriously.

"There are still great tranches of government who believe security is just a box-ticking exercise," he adds.