Breach fatigue: do we even need notification laws?

Breach fatigue: do we even need notification laws?
Breach fatigue: do we even need notification laws?

Across the Atlantic, 2014 has been one of the most prolific years in recent memory for serious data breaches. Mandatory notification laws were, of course, brought in a few years ago to stop this very thing – the idea being that firms would take data security more seriously if they knew it could lead to damaging media headlines. Yet as the bad publicity continues to flow for the likes of Home Depot, JPMorgan and Target, are these laws still fit for purpose, and should the EU reconsider its own plans to roll-out similar regulations?

The European Union's General Data Protection Regulation seems to have been forever in the drafting, yet CSOs ignore its progress at their peril. For the first time it offers up the very real prospect of mandatory US-style breach notification rules for all organisations, rather than just communications service providers (CSPs), as at present. Yet a recent survey from consultancy Software Advice of more than 4,000 US adults seems to indicate breach notification fatigue is kicking in.

It found that over three-quarters (77 percent) had forgotten the eBay breach earlier this year had ever happened – despite the fact that the firm was forced to notify its 145 million customers. In fact, only two of 2014's top breaches as of September registered an awareness rate of more than 23 percent. Given this apparent low awareness of breach headlines, and the rising number of actual security incidents, are notification laws worth the paper they're written on?

A good place to start

Well, I'd argue they are still a step in the right direction. Some incidents are always going to resonate more with the public than others – perhaps those where consumers have suffered ID fraud, or been hit with a major service outage, as a result. Consider too a bank which has had to put up its charges to cover the costs of a major security incident. These situations would certainly be enough to shatter consumer apathy, impact brand loyalty and worry organisations keen to avoid the loss of custom, bad publicity and share price slump that could ensue.

When combined with the fines of up to five percent of turnover mooted by the European Commission, notification laws could still be a genuine and effective deterrent against poor data security practices.

Legislation is not always the right answer – especially in a notoriously fast-moving industry like information security. But I think it's an important step in this case. It will help to instil trust amongst consumers that the companies they interact with are acting in their best interests and taking data security seriously. The regulations can also help provide a baseline around which organisations like CERT-UK can build best practice advice.

Best practice: always the same

Successful CIOs and CSOs will be aware in any case that their job is at risk if they don't put in place the right security policies and processes. They'll work with trusted security partners, integrators and consultancies to draw up an overall risk framework. Then they'll look at securing the fundamentals: endpoints, networks, databases, servers and web platforms. They'll ensure all systems are patched and up-to-date and they'll understand where the security gaps are in cloud and virtual systems that third party vendors do not cover.

They'll also get better situational awareness and network visibility with tools like file integrity monitoring to spot advanced targeted attacks. Legacy POS and other systems and those run by third parties will be forced to adhere to the same stringent policies. And on top of all this, they'll make sure they have centralised management tools to unify and interpret the wealth of threat data generated.

Of course, it's not all about European level regulations mandating breach notifications and levying huge fines for serious security incidents. Organisations for one can help themselves by improving employee education on cyber security. In fact, with the rise of BYOD, every consumer is also a potential employee and security risk, so the European Commission could think about improving its public education programmes too.

In the end it might be at least three years before we see what finally happens with European breach notification regulations. But the fundamentals of good data security remain the same, and CSOs who proactively seek to follow them irrespective of European mandates will find themselves in the strongest position.

Contributed by Ross Dyer, UK Technical Director, Trend Micro

Sign up to our newsletters