This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Security and legal professionals claim 24-hour breach notification will not be a complete burden

Share this article:
24-hour breach notification 'unfeasible'
24-hour breach notification 'unfeasible'

The proposed 24-hour breach notification law will be a challenge for smaller businesses, but not for enterprises.

Speaking on a recent SC Magazine webcast, Stephen Kerslake, group information security manager at Virgin Media, said that it was not impractical, as the bigger organisations that would have to subscribe to it already have resources in place to support it.

“For example, all the major telcos in the UK have 24/7 security operating or network management facilities whereby a report can be generated instantly,” he said.

“More so, that report will be generated from monitoring network activity across their entire infrastructure and on the detection of a malpractice or an incident, they could very quickly determine what the circumstances were and what needed reporting.

“So I don't think it is unrealistic in our terms, where it may be unrealistic is with a small-to-medium enterprise for example, who don't have the necessary resources.”

Asked if this meant that a ‘one size fits all' template did not work, former information commissioner Richard Thomas, now a consultant at law firm Hunton & Williams, said that he agreed with this. He said that at the moment, it is only the telcos that have a legal obligation to report a breach to the Information Commissioner's Office (ICO), and others are encouraged to report where necessary.

He said: “The worry is, if it becomes mandatory for all organisations to report all breaches, that is really quite burdensome for small and medium businesses, and some larger ones.

“I also worry about the burden on the ICO's shoulders. When you have this blanket approach it becomes very difficult for any regulator to set priorities and work out what is really important, and focus resources on those areas where you need to intervene and take action.”

In agreement with Thomas was Jonathan Armstrong, partner at law firm Duane Morris, who said that 24-hour reporting was not unrealistic and that some companies limit the number of insiders who know about a breach.

He said: “I'd rather they put their finger in the dyke and stopped the breach and stopped worrying about reporting. In the US, the time doesn't run until law enforcement leave the scene and I would like to see that. Also, if all data is encrypted, should it really be reported? Most of the US statures have that as exemption.

“You also need to take into account notification fatigue; the US has got itself into a mess as people report relatively trivial breaches, so whenever a serious breach happens, people just bin the envelope. That increases the burden on everyone.”

Thomas said that the real priority is not to take steps to notify people, but to stop the breach. Kerslake also said that an online facility for organisations to report into the ICO would be better, and said that this could be used as an awareness facility on what is important in terms of reporting and what is not.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Cyber security still a learning curve for most companies

Cyber security still a learning curve for most ...

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two ...

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.