Mandatory reporting of security breaches - good thing, or just more paperwork?

Mandatory security breach reporting – good thing, or just more paperwork?

It has been announced that the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, is looking to bring in mandatory reporting of information security breaches, at least within some industry sectors.

In an interesting press release titled “EU Cybersecurity plan to protect open internet and online freedom and opportunity“, makes the proposal as part of it is overarching strategy on the cumbersome-named “cybersecurity” and “network & information security.”

One of the more interesting part of the proposal is the bit that has been picked up by most news agencies this week, and it runs as follows: (the emphasis is ours)

Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services.

In most (admittedly not all) state run organisations (for example, City Councils & the NHS in the UK) there are already mandatory reporting requirements but it is has frequently been claimed across Europe that private companies are able to hush up data security breaches. This has cast doubt on security studies (such as the Ponemon data breach report) as it is never been clear if everything is being captured.

Creating a mandatory reporting requirement for such a broad spread of service providers seems to be an effective way to level the playing field, as long as it is properly enforced. Any public company has to weigh up competing interests before reporting a data breach and it seems likely that this is going to be just another factor to be considered. (For example, if the fine for not reporting is £10,000 but the likely loss in profit from the public reaction is £100,000, lots of companies will opt to not report).

There is another hurdle that will need to be ironed out by the EU – and that is what constitutes a “major” security incident. There is no clearly agreed definition of this and I suspect entire books could be written on the subject.

However, if the EU can get over these obstacles, then this could actually be a very good move – even if companies try to resist it initially:

  • The pain of reporting a data breach creates an incentive to provide better security driven by sound risk management strategies.
  • As companies report security breaches, we will get better quality intelligence on what drives the breaches and how much impact they have.
  • The more security breaches that are reported, the greater pressure there is for police forces (national or international) to become involved and punish offenders – at the moment, hackers are only prosecuted in exceptional circumstances and often private companies are forced to utilise their own resources post-breach.

Time will tell if the EU actually implements this reporting requirement, but in the meantime, good practice would be to make sure that you have the following mechanisms in place (if you do, the EU requirements are likely to be painless):

  • A well run, well documented risk management process across your organisation.
  • A well documented and properly implemented security management system.
  • Robust network monitoring and incident detection systems.
  • Sound incident management processes.
  • Good, timely, reporting chains.

This is good practice with or without regulations, so you really should be doing it now!