Do we need tougher breach notification rules?

The Travelex ransomware raises the question, once again, of whether organisations should be obliged to provide more information

When Travelex was hit by a ransomware attack on New Year's Eve, not just taking down its website, but the systems that enable it to do business, it was days before it even admitted it. Even then, it would only say that it had been hit by a virus.

And as speculation mounted, it took a week before it admitted that the virus was, in fact, ransomware - just as the speculation had suggested.

Furthermore, the company was adamant that no personal data had been compromised. Indeed, it was so confident that it didn't even bother notifying the Information Commissioner's Office (ICO) within the 72 hour deadline demanded under GDPR.

It reasoned that the data hadn't, literally, been breached - merely encrypted and therefore rendered unreadable. "There is still no evidence to date that any data has been exfiltrated," the company insisted in a statement released a week after the ransomware attack took place.

Of course, the ICO takes a very different and arguably less liberal view of what constitutes a ‘data leak', which means that Travelex's upcoming appointments with information commissioner Elizabeth Denham could prove very interesting,especially with its parent company now reportedly in deep financial difficulties.

The reticence of Travelex to simply come clean has re-opened the question, once again, about how much information the public has a right to hear about data breaches that could potentially affect them.

Besides, with financial services giant Finastra also falling victim to ransomware just months after Travelex, supposedly compromised by the very same vulnerability, perhaps it's time that naming, shaming and obliging full public disclosure is the only way to make organisations take security seriously?

Data breaches are a major risk for businesses of all industries. According toresearch from Risk Based Security, the number of breaches grew by 33 per cent in 2019. Last year, a staggering 7.9 billion records were leaked from 5,183 breaches, and this could reach 8.5 billion in the foreseeable future.

Across the European Union, some €114 million in fines were levied in 2018 and 2019 and this figure is based purely on publicised fines, and doesn't include proposed fines that have not been finalised yet.

When organisations are affected by a cyber attack resulting in data loss, they have a duty to notify the relevant authorities, as well as the individuals whose personal information has been leaked. In the UK, data breaches must be reported to the Information Commissioner's Office (ICO) within 72 hours.

Jamie Brown, director of global government affairs at Tenable, says: "GDPR states that organisations should report any personal data breach, where there is a risk to an individual's rights and freedoms, to the relevant supervisory authority.

"Other than notifying the Information Commissioner's Office (ICO), there is no legal requirement to publicly disclose a breach. However, GDPR does state that, should there be a risk to the individual affected, they must also be informed."

But, he adds, breach notification rules differ for critical infrastructure providers. Brown says: "The Security of Network & Information Systems Regulations (NIS Regulations), EU-wide legislation that came into force in the UK in May 2018, encompasses both cyber and physical resilience of critical infrastructure.

"This covers any and all services that are critical for the provision of digital services (online marketplaces, online search engines, cloud computing services) and essential services (transport, energy, water, health, and digital infrastructure services)."

Disclosing breaches

But how much do organisations need to publicly disclose, and what can they - and should they - keep to themselves?

Brown continues: "Under both GDPR and NIS, there is no legal requirement for organisations to publicly disclose a cyber breach or incident. However, given the ICO will disclose penalties and enforcement action it has taken, plus the likelihood of affected individuals disclosing breach notices, it is difficult to hide a data breach.

"First, organisations should fully investigate the breach and patch any security weaknesses before disclosing to affected individuals, to avoid exacerbating any breaches or disclose continued security weaknesses to potential attackers. A further reason is to allow relevant authorities to capture evidence that can help with a future prosecution. If a threat actor is tipped off that they have been discovered they could take action to eradicate evidence or even destroy systems to prevent being traced."

Dan Pitman, principal security architect at Alert Logic, explains that disclosing details to the supervisory authority and to the subjects of the data breach will almost certainly, in any case, result in public disclosure. He says: "In many cases, the lack of information about the subjects of a breach means that public disclosure is the only option to ensure their customers are notified.

"Until they are confident they have closed the breach down companies should not disclose the technical nature of the breach, however once mitigated it would be morally good practice to explain what happened and why to increase awareness and understanding of security risks in the wider community."

Stricter rules are needed

However, as data breaches grow in frequency, many experts believe that there is a need for tougher breach notification rules. Jake Moore, cyber security specialist at Eset, takes the view that we should promote the public admission of data breaches to be able to learn from them.

He tells Computing: "Collaboration is the only way to beat cyber attacks, and therefore at the detriment to PR, I think we should admit mistakes at the earliest possibility. No one is completely safe from cybercrime, so I think it's made worse when an attack surfaces from years ago.

"We can then learn far more together, and I truly believe we have come through to a point where people lose more trust for a company covering up an attack rather than holding their hands up early and rectifying their mistakes."

In particular, Moore argues that companies that hide huge attacks should be publicly shamed. He says that while this may seem extreme, it would most likely work. "Once the mindset is changed on what is possible and that it's proven that extra security is then further in place, we will start to see that shift in culture and being more Open. This in time beats future attacks."

Nicky Whiting, head of consultancy at Bulletproof, agrees that these rules should be toughened. She says: "I think we should have more rules to cover the scenarios where it is not mandatory to report at the moment. It might make companies wake up and realise that, if they have a breach, it will definitely be made public. At the moment, companies can try and hide - however, it's increasingly difficult to keep a breach under wraps."

Russian roulette

Although businesses clearly have a duty to report breaches, these rules aren't perfect and can have unforeseen circumstances. Tim Hickman, partner at White & Case, says that "failure to satisfy these reporting requirements carries potentially significant financial penalties."

He continues: "However, in practice, this has resulted in over-reporting of data breaches, with many businesses reporting extremely minor incidents to regulators for fear of incurring large fines.

"EU regulators have consequently been inundated with unnecessary reports by risk-averse businesses, and individuals have become needlessly concerned in relation to breaches that carry little risk of real harm."

Hickman adds that, as a result, some EU regulators have begun to encourage organisations to only report very serious data breaches so that their resources aren't wasted. He adds: "It remains to be seen whether businesses will heed this encouragement or will continue to tread a risk-averse path."

Ilia Kolochenko, CEO of ImmuniWeb, believes that tougher rules could result in organisations concealing breaches because over-regulation will make disclosure economically impractical and could even drive them out of business. He says: "Others will simply quit the industry, people will lose jobs and the economy will suffer. Thus, it is essential to maintain the right balance between the rights of the would-be victims and concerned organisations that will eventually bear the burden amid economic slowdown and looming financial crisis."

With the connected ecosystem rapidly growing, it's likely that we will continue to see data breaches hitting the headlines - and, perhaps, many more that won't. As a result, there will be a growing need for robust breach notification rules that protect everyone. But making these tougher without damaging businesses, especially in the current climate, will be challenging.