{"id":527,"date":"2013-02-09T23:54:33","date_gmt":"2013-02-09T23:54:33","guid":{"rendered":"http:\/\/www.halkynconsulting.co.uk\/a\/?p=527"},"modified":"2013-06-14T21:19:10","modified_gmt":"2013-06-14T20:19:10","slug":"mandatory-reporting-of-data-security-breaches","status":"publish","type":"post","link":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/02\/mandatory-reporting-of-data-security-breaches\/","title":{"rendered":"Mandatory Reporting of Data Security Breaches"},"content":{"rendered":"
\"Mandatory
Mandatory security breach reporting – good thing, or just more paperwork?<\/figcaption><\/figure>\n

It has been announced that the European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, is looking to bring in mandatory reporting of information security breaches, at least within some industry sectors.<\/p>\n

In an interesting press release titled “EU Cybersecurity plan to protect open internet and online freedom and opportunity<\/a>“, makes the proposal as part of it is overarching strategy on the cumbersome-named “cybersecurity” and “network & information security.”<\/p>\n

One of the more interesting part of the proposal is the bit that has been picked up by most news agencies this week, and it runs as follows: (the emphasis is ours)<\/p>\n

Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services<\/strong>.<\/p><\/blockquote>\n

In most (admittedly not all) state run organisations (for example, City Councils & the NHS in the UK) there are already mandatory reporting requirements but it is has frequently been claimed across Europe that private companies are able to hush up data security breaches. This has cast doubt on security studies (such as the Ponemon data breach report) as it is never been clear if everything is being captured.<\/p>\n

Creating a mandatory reporting requirement for such a broad spread of service providers seems to be an effective way to level the playing field, as long as it is properly enforced. Any public company has to weigh up competing interests before reporting a data breach and it seems likely that this is going to be just another factor to be considered. (For example, if the fine for not reporting is \u00a310,000 but the likely loss in profit from the public reaction is \u00a3100,000, lots of companies will opt to not report<\/em>).<\/p>\n

There is another hurdle that will need to be ironed out by the EU – and that is what constitutes a “major” security incident. There is no clearly agreed definition of this and I suspect entire books could be written on the subject.<\/p>\n

However, if the EU can get over these obstacles, then this could actually be a very good move – even if companies try to resist it initially:<\/p>\n