The case for mandatory data breach disclosure laws

The onus for effective data protection lies with the business

This year, we have seen a long list of organisations that have suffered data breaches. There are always important lessons to learn from such events, and in this article, we'll take a closer look at two breaches which occurred in the space of a fortnight back in August. Namely, the breach of eBay's ticket selling site StubHub, and online bookmakers Paddy Power.

In the first instance, and typical to almost every breach, what unites both is that personally identifiable information was stolen – including individual customer names, usernames, addresses, email addresses, phone contact numbers and dates of birth.

One breach leads to another

But what distinguishes the StubHub breach is that this compromise was not as a result of the company's servers coming under assault, but that the hackers had used login details and passwords obtained from previous attacks in order to gain network access. There have been numerous warnings that personal data nabbed in one heist can be used to design other, more insidious socially-engineered cyber-attacks, and this breach was confirmation of such an eventuality.

This is also one of the reasons why the recent revelation that a Russian hacking group has allegedly amassed 1.2 billion usernames and passwords is so significant. The black market thrives on this sort of data.

In the case of Paddy Power, the Irish bookmaker revealed that some 649,000 customers were affected by a breach that took place in 2010. Given that it took almost four years for the event to come to light, there has been the potential for other cyber-attacks to have been launched with Paddy Power customer data in the meantime. However, the significant amount of time it took for details of the incident to be released is not as rare an occurrence as you might think: Australian daily deals site Catch of the Day recently notified its customers of a breach that it experienced three years prior.

Compliance considerations

From a compliance point of view, both these cases add further urgency to the need to reclassify all data as 'sensitive' and add more weight to the mandate for tighter breach notification laws. There has been a growing trend towards personal data breach notification in Europe – for example, Germany and Ireland have both introduced more stringent national data breach notification requirements than those provided under the current e-Privacy Directive.

Given that the most recent draft of the proposed EU Data Protection Regulation stipulates that data controllers are obliged to notify the relevant privacy regulator of a breach within a 72 hour period, businesses across the board need to be ready to respond to breach incidents much faster, or face the adverse consequences.

In the fight against cybercrime, the need for mandatory data breach notification laws not only emphasises the dangers posed to the security of the international community, but also acts as a crucial reminder to businesses that the onus for effective data protection lies with them.

Big penalties

Another point to bear in mind is that other proposed changes to the law threaten to increase maximum fines for breached businesses from 2% to 5% of the company's global annual turnover – which means that failing to adequately secure data presents a very severe operational risk for organisations that hold personal data in their care, and to which the regulations apply. Cybercrime is a highly sophisticated and destructive industry targeting organisations of all shapes and sizes, capable of damaging brands and resulting in painful compliance penalties.

The fact that data breach incidents continue to make headlines confirms that businesses are still very much being targeted for customer data. As such, organisations must start appreciating the value of the sensitivity of the information they collect. For businesses looking to stay out of the headlines with bottom-line and consumer trust intact, ensuring they have appropriate data security solutions in place like encryption and access controls, coupled with security intelligence is essential.

Only by doing so will a business be alerted to unusual or anomalous user behaviour and network access as and when it happens, which may indicate an external attack or a malicious insider. It's important to remember that, aside from the raft of fraudsters, opportunists, hacktivists and organised crime syndicates out there, trusted 'insiders' can present as much of a risk to data as anyone else.