They may not be the only ones given data breaches are increasing over here in the U.K. too; so will we follow suit?
There is no doubt that cyber-security is one of the top concerns for the developed world. In an age where almost everything is digitalised and connected to the internet, cybercriminals have the power to bankrupt a multi-billion dollar business enterprise, collapse global organisations and even cause untold chaos to governments.
Legislative governments across the world are having to vote in new laws and regulations to defend against cybercrime. Now, the U.S. Congress are coming up with all sorts of ideas on how best to combat cybercrime, including the best procedures for reporting data breaches.
Reporting data breaches is absolutely crucial for cybersecurity. Like reporting a crime to the police, only knowledge of the crime can instigate investigations to identify the perpetrators, vulnerabilities and how to prevent the crime from recurring.
In the U.S, uniform data breach reporting across the whole nation appears highly unlikely. Vice president and account executive of global tech and privacy at Lockton Cos, Michael Born, said “everybody has an idea” on cybersecurity, but none of them will be agreed across all 48 states, and it’s therefore likely that each state will come up with its own rules. One idea was that cybercrime victims who get hacked should be able to hack their hacker in return!
A big obstacle
This is a big obstacle in American legislation as the nation is made up of very diverse states. Whilst it might be easier for states to enforce the rules they want, for multi-state or even global businesses and organisations, universal enforcement may restrict the services they provide. This in turn can have a knock-on effect on the individual as an innocent party.
When might it happen?
Cyber-crime is a relatively new phenomenon, so it’s likely it will be many more years before legislation catches up to allow for the most effective method of data breach reporting to be agreed upon. Here in the U.K, our independent Information Commissioner’s Office (ICO) is tasked with the role of monitoring and enforcing the Data Protection Act. During its investigations, the ICO takes into account several factors if a data breach has been found:
- The type of information
- The method of breach
- The data controller’s security systems
- How long a delay there was between the date of breach and date of knowledge by the data handler
- How long a delay there was between the data controller knowing about the breach and the data owner being informed the breach that may affect them
- Steps taken by the data controller to mitigate harm and loss to the data owner
Some service providers must notify the ICO within 24 hours of knowing about the breach of personal data. For most organisations, reporting a data breach to the authorities and coming clean to their consumers early on is much better than delaying it, and research has shown that many affected victims welcome early notification.