Reporting of security breaches should be included in regular reports
Reports that a leading legal expert has called for the mandatory reporting of all data breaches to the UK Information Commissioner’s Office (ICO) – in order to bring more clarity to the amount of data being lost and improve efforts to prevent breaches – should be tempered by the reputational risk to the companies concerned.
And it’s because of the reputational risk, that the mandatory reporting should be included in the company’s regular accounting releases, such as quarterly and annual reports.
“That way the issue can be given the precedence it requires, but also allowing the company to report the security breaches to all interested parties, namely the shareholders and employees, rather than simply catering to sensationalists and the media generally,” said Rolf von Roessing, ISACA’s international VP.
“The idea of mandatory reporting is an excellent one and one that should be embraced, but rather than risking the reputation of a company being pilloried – and perhaps sending its share plummeting as a result of unfettered media reporting – the reporting process should be more measured, and require the `signing off’ of the report by management, in a similar process to Sarbanes-Oxley s302 disclosure reporting in the US,” he added.
According to von Roessing, the fact that someone of the stature of a partner with Field Fisher Waterhouse is saying that mandatory reporting is now necessary to stop companies attempting from burying their bad news, indicates the strength of business feeling about the issue of reporting of security breaches.
However, he says, whilst the public has a legitimate interest in learning about security breaches, it is important to look at the bigger picture, that of the real public interest in a company being seen to learn from its mistakes and allowing management to recover a situation, rather than subjecting the company to a public witch hunt which benefits no-one in the longer term.
The UK is relatively unique in having increased its maximum penalty for a serious breach of its data protection legislation to half a million pounds, yet has not imposed anywhere near that sort of fine on any organization so far.
Obviously, the fear of being the first company to be hit by a hefty fine – and the attendant publicity surrounding that fine – is almost certainly what is helping to ensure that many IT departments are keeping up with the latest in information security and protection, but threats are neither enough nor appropriate to improve information security in the longer term.
This is a great `stick’ to threaten IT staff with for the time being, but it is very questionable how long the threat on its own will be sufficient, or whether a `stick’ approach is indeed the best one for the industry as a whole. Inevitably, information security breaches cause major damage, and many organizations need help rather than punishment.
In the longer term there is a definite need for an educational stance and new approaches to be adopted by security regulatory authorities such as the ICO, and this is where mandatory reporting in a controlled manner makes a lot of sense, since it considerably levels the playing field.