Regulators should make breach disclosure compulsory

Organizations attacked by hackers ought to disclose the breaches to affected consumers, but regulators need to strike a balance as revealing system flaws publicly might invite more troubles.
Written by Ellyne Phneah, Contributor

Regulators will have to take responsibility and make it compulsory for organizations to report instances of cybersecurity breaches. Without government pressure, companies will not voluntarily disclose such incidents as it would negatively impact their reputations and stir shareholders' concerns.

Guillaume Lovet, senior manager of Fortinet's FortiGuard Threat Response team, was one industry watcher who told ZDNet Asia that if a breach occurred and it affected customers' data, regulators ought to compel the company to "come clean".

Without legal ramifications, companies are unlikely to report any attacks as such disclosure would impact their businesses and result in possible loss of reputation and cause shareholders to be concerned over the lapse in security, he explained.

However, it is a consumer's unalienable universal right" to have control over their personal data and it is the company's duty to notify them when the person's information has been compromised, the executive pointed out.

Ngair Teow Hin, CEO of SecureAge, agreed. He said companies will not report a breach on their systems as their foremost concern would be their shareholders and such disclosures will not benefit them.

The legal framework, at least in Singapore, has yet to address this issue though. The soon-to-be-operational Personal Data Protection Act did not make it compulsory for companies to disclose breaches, and Ngair speculated this could be done on purpose to help companies reduce the already hefty compliance costs.

By contrast, the United States, European Union and Australia are some countries that have put in place data breach notification regulations to protect consumers. This puts Singapore behind the ongoing data protection trend globally, he said.

The executives' comments come after more than 10,000 civil servants in the United Kingdom discovered their personal details have been compromised--two years after the hack took place. On Wednesday, it was reported the Civil Service Sports Club (CSSC) was forced to send out a letter warning its members their personal information may have been stolen in a data breach that took place in 2010.

Affected information include addresses, phone numbers and National Insurance information had been divulged in the breach, although the CSSC did not say how many members' details were at risk or how the attack took place.

One affected member took to Twitter to vent her outrage. Claire Jamieson tweeted: "Nearly three years to notify members their personal details have been stolen! Not good enough #CSSC Explains a bogus benefit claim in my name!"

Disclose information wisely
Ngair did qualify the need to get companies to reveal breaches has to be balanced with limiting the disclosure to those on a need-to-know basis. Regulators should also have provisions in place to prevent similar breaches from happening again, he said.

For instance, only serious breaches should be reported and cases that qualify would include those that affect a sizeable number of people or result in losses in sensitive data. Such information include credit card numbers, medical information and personally identifiable details, he explained.

In addition, companies should reveal information selectively in public, Lovet added.

For instance, all information pertaining to customers and user data should be disclosed but details of the system flaw which was exploited should not be communicated to the general public. This is to protect its internal system so other hackers will not use it further against the company, he said.

Editorial standards