Name and shame when a data breach shows slack procedures, say our readers
Any data breach where personal information is leaked, should be reported to the authorities – by law. That’s what TechWeekEurope readers believe, at any rate, according to a poll.
Currently if your organisation suffers a data breach, it is up to you whether you report it, unless you are part of the NHS. It is commendable and honest if you let the Information Commissioner’s Office know, but you could face a fine for mishandling information of your clients. Indeed, TechWeekEurope has found evidence that some companies may be keeping quiet about a breach, and then undergoing a “voluntary audit” in which the breach might come to light with no consequences.
The EU has proposed a law which would require organisations to report any large data breach within 24 hours. However,that law is not enacted yet – although all public bodies in the UK do have to report leaks of personal data.
We had a substantial number of votes (more than 300 so far), and there was a huge majority (84 percent) in favour of the idea of mandatory data breach reporting.
Only around 13 percent thought the difficulties of such a system would outweigh the benefits. For these people, it seemed that the amount of bureaucracy and paperwork involved in the scheme was too much.
Famously, Coca-Cola experienced a breach and kept quiet for years, feeling that owning up would damage its reputation.
Security professionals would generally rather see problems reported – as this enables the rest of the community to learn from what happened. Without mandatory reporting, some exploits can remain unpatched for a long while, even though some people know about them from bitter experience.
Are you a security expert? Try our quiz!