Steps in the right direction
Better disclosure laws and bigger fines will drive organisational behaviour
Published 11:41, 21 September 10
In my last blog, “Working Together? Not Yet,” I commented on the need for more transparency in the reporting of compromised customer data.
The catalyst for that blog was the cybertheft of funds from 3000 UK online bank accounts. The current lack of robust breach disclosure legislation in the UK means that more detail is unlikely to be forthcoming, and my argument was that transparency through disclosure would help keep the issue top of mind with consumers, as well as in the boardroom.
There were two news items in recent weeks, one here and one abroad, that caught my eye as being steps in the right direction.
Here in the UK the FSA fined a large Insurer over £2.2m following the loss of personal and financial details of 46,000 of their customers. In this instance, the loss was not cyber-related but was the result of a backup tape that went missing in transit.
While customer data loss via laptops and electronic media continues to be an all too regular occurrence, the FSA fine this time was a substantial one. In fact, as of August 2010, it was the largest fine ever levied on a single firm related to data loss, and should serve as a wake up call across the financial services sector.
The second news item was the passing of a stronger breach notification bill by the Californian legislature, although it still needs to be signed by the Governor. The bill sets out the informational items that must be disclosed in the event of a customer data breach.
As you’d expect from the home of so many information technology companies (including ours, I might add), I believe California was the first U.S. state to implement breach disclosure legislation and is now taking the lead once again in its refinement.
Standardised financial reporting is something we’ve come to expect from businesses and government agencies. Apart from the fact that it is a legal requirement, it allows us to more quickly understand a given situation and make comparisons between organisations. I believe similar benefits would come from standardised breach disclosure reporting.
Better disclosure laws and bigger fines on their own may not lower the rate of consumer data theft. They may however, help drive the behavioural changes that are badly needed at both a personal and organisational level.
In an ideal world, consumers would have the information at hand to decide whether their existing service providers are the ones to trust with their personal information, law enforcement agencies would be able to see all breach incidents in a timely manner to quickly identify patterns of criminal behaviour, and public and private sector organisations would place the security of their customers’ personal information at the top of their priority list when it comes to customer retention and preserving brand value.
While we may be a long way from this vision today, I’m encouraged when I see people taking steps in the right direction.
Blog post by Iain Chidgey, General Manager, ArcSight EMEA