The impact of mandatory breach notifications on UK plc
What do the latest EU plans mean for the UK and will it make the European enterprise a safer place?
So, the much debated European Union plans for mandatory data breach notification have taken another step forward this month with a proposed new directive that would impact cloud providers, social networks and e-commerce platforms to notify authorities regarding any security breach and force all EU member states to establish a Computer Emergency Readiness Team (CERT) in order to share security threat data in a highly co-ordinated manner.
Ross Brewer, vice president and managing director for international markets at LogRhythm, is adamant that the new law will be "exactly what the public needs in order to restore consumer confidence in cyber security." He insists that there is "an urgent need for organisations to reassure consumers they are capable of safeguarding networks."
Brewer is convinced that the public is in favour of mandatory disclosure, citing recent LogRhythm research which revealed 80 per cent no longer trust organisations with their data and social networks, along with 'gaming sites', as being the least trustworthy in this regard.
"It's great to see that the EU proposal is in line with public demand by including major internet companies such as social media firms in its list of key organisations required to report any IT security breaches," Brewer says. But he's not completely happy as he sees some glaring omissions amongst many organisations that are entrusted with high-worth data not being included in the scope of the proposed directive.
I'm inclined to agree. Assuming you go along with the notion that mandatory breach notification as part of a truly transparent IT security strategy makes for a safer environment to work and play, for such a directive to have any real impact as far as consumer trust and organisational security is concerned it has to be all or nothing, everyone or nobody.
What's the point of cherry picking certain enterprises and leaving others out? I recall having this very same debate with a whole bunch of CISOs from some of the UK's biggest organisations within both the private and public sector when I agreed to give a lecture at a security professionals luncheon having won the IT Security Journalist of the Year award for the first time way back in 2006.