The impact of mandatory breach notifications on UK plc

Features
By Davey Winder
published

What do the latest EU plans mean for the UK and will it make the European enterprise a safer place?

Data breach

So, the much debated European Union plans for mandatory data breach notification have taken another step forward this month with a proposed new directive that would impact cloud providers, social networks and e-commerce platforms to notify authorities regarding any security breach and force all EU member states to establish a Computer Emergency Readiness Team (CERT) in order to share security threat data in a highly co-ordinated manner.

Ross Brewer, vice president and managing director for international markets at LogRhythm, is adamant that the new law will be "exactly what the public needs in order to restore consumer confidence in cyber security." He insists that there is "an urgent need for organisations to reassure consumers they are capable of safeguarding networks."

Brewer is convinced that the public is in favour of mandatory disclosure, citing recent LogRhythm research which revealed 80 per cent no longer trust organisations with their data and social networks, along with 'gaming sites', as being the least trustworthy in this regard.

"It's great to see that the EU proposal is in line with public demand by including major internet companies such as social media firms in its list of key organisations required to report any IT security breaches," Brewer says. But he's not completely happy as he sees some glaring omissions amongst many organisations that are entrusted with high-worth data not being included in the scope of the proposed directive.

I'm inclined to agree. Assuming you go along with the notion that mandatory breach notification as part of a truly transparent IT security strategy makes for a safer environment to work and play, for such a directive to have any real impact as far as consumer trust and organisational security is concerned it has to be all or nothing, everyone or nobody.

What's the point of cherry picking certain enterprises and leaving others out? I recall having this very same debate with a whole bunch of CISOs from some of the UK's biggest organisations within both the private and public sector when I agreed to give a lecture at a security professionals luncheon having won the IT Security Journalist of the Year award for the first time way back in 2006.

Davey Winder
Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.