Regulators should make breach disclosure compulsory

Regulators should make breach disclosure compulsory

Summary: Organizations attacked by hackers ought to disclose the breaches to affected consumers, but regulators need to strike a balance as revealing system flaws publicly might invite more troubles.

SHARE:
1

Regulators will have to take responsibility and make it compulsory for organizations to report instances of cybersecurity breaches. Without government pressure, companies will not voluntarily disclose such incidents as it would negatively impact their reputations and stir shareholders' concerns.

Guillaume Lovet, senior manager of Fortinet's FortiGuard Threat Response team, was one industry watcher who told ZDNet Asia that if a breach occurred and it affected customers' data, regulators ought to compel the company to "come clean".

Without legal ramifications, companies are unlikely to report any attacks as such disclosure would impact their businesses and result in possible loss of reputation and cause shareholders to be concerned over the lapse in security, he explained.

However, it is a consumer's unalienable universal right" to have control over their personal data and it is the company's duty to notify them when the person's information has been compromised, the executive pointed out.

Ngair Teow Hin, CEO of SecureAge, agreed. He said companies will not report a breach on their systems as their foremost concern would be their shareholders and such disclosures will not benefit them.

The legal framework, at least in Singapore, has yet to address this issue though. The soon-to-be-operational Personal Data Protection Act did not make it compulsory for companies to disclose breaches, and Ngair speculated this could be done on purpose to help companies reduce the already hefty compliance costs.

By contrast, the United States, European Union and Australia are some countries that have put in place data breach notification regulations to protect consumers. This puts Singapore behind the ongoing data protection trend globally, he said.

The executives' comments come after more than 10,000 civil servants in the United Kingdom discovered their personal details have been compromised--two years after the hack took place. On Wednesday, it was reported the Civil Service Sports Club (CSSC) was forced to send out a letter warning its members their personal information may have been stolen in a data breach that took place in 2010.

Affected information include addresses, phone numbers and National Insurance information had been divulged in the breach, although the CSSC did not say how many members' details were at risk or how the attack took place.

One affected member took to Twitter to vent her outrage. Claire Jamieson tweeted: "Nearly three years to notify members their personal details have been stolen! Not good enough #CSSC Explains a bogus benefit claim in my name!"

Disclose information wisely
Ngair did qualify the need to get companies to reveal breaches has to be balanced with limiting the disclosure to those on a need-to-know basis. Regulators should also have provisions in place to prevent similar breaches from happening again, he said.

For instance, only serious breaches should be reported and cases that qualify would include those that affect a sizeable number of people or result in losses in sensitive data. Such information include credit card numbers, medical information and personally identifiable details, he explained.

In addition, companies should reveal information selectively in public, Lovet added.

For instance, all information pertaining to customers and user data should be disclosed but details of the system flaw which was exploited should not be communicated to the general public. This is to protect its internal system so other hackers will not use it further against the company, he said.

Topics: Security, Government, Legal

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • All Vulnerabilities Should Be Disclosed ASAP

    "For instance, all information pertaining to customers and user data should be disclosed but details of the system flaw which was exploited should not be communicated to the general public. This is to protect its internal system so other hackers will not use it further against the company, he said."

    I fundamentally disagree with this. First of all, any vulnerable system should be immediately taken offline and fixed as soon as the flaw/breach is discovered. That is how you prevent either the same hacker or other hackers from coming back and exploiting it again; security through obscurity simply does not work. Secondly, what if the flaw originates from the vendor of the system as opposed to the entity that was breached? How may other customers of said vendor might be at risk to the exact same exploit but won't be informed because the breached entity won't reveal the information?
    Dyndrilliac