The challenge of a data breach could lead to decisions having to be made in only 30 minutes in order to keep an audit committee at bay.
Speaking at the IDC security conference in London, Jonathan Armstrong, partner at Duane Morris, said that in the heat of a data breach, there is a need to keep IT and compliance people on a tight lead.
He pointed to the Ponemon Institute survey on data breaches from this year, which found that 86 per cent of organisations had a laptop stolen and 61 per cent of those cases led to a data breach.
He also highlighted the UK legislative background, which reads: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
He said: “UK legislation says action ‘shall' be taken but it is not made as a business case, and you have to determine that and have to go through the business and understand why they have not done it.
“There is large awareness in Europe but little legislation, but we are seeing more class actions in the US and in Europe. In the US there is no all embracing law, it is done state by state.”
Looking at the need to move to prevention and away from trying to find a cure, Armstrong said that the future could see more private actions, a greater degree in trust, more globalisation and more use of a ‘moral compass'.
He predicted that an independent moral compass will become more prevalent and will call on what should happen in the case of a breach as a third party.
He said: “If in the case of a breach, it is not easy to tell your customers but the likelihood of heavy control is slim and the cyber criminal having your details is also slim, so are we worrying people unnecessarily? There are legal calls to be made, but it is a decision someone has to make.”