Cracking the code of silence
New European rules aim to make companies more transparent about data breaches,
but some experts warn that they may have the opposite effect
Written by The Economist Intelligence Unit
ick a large company at random and there is a high chance that it
will have been the victim of a malicious security attack. In the UK,
over three-quarters (78%) of large organisations admitted that
they had been attacked by an unauthorised outsider in the previous
12 months, according to a 2013 report1 by the UK government’s
Department for Business, Innovation and Skills. Yet the number of
companies that have spoken publicly about data breaches remains
Clearly, companies are reluctant to reveal security incidents, even
though they are such a common occurrence. The recent compromise of
security at the major US retailer Target is a case in point. Details of the
breach, in which tens of millions of customers’ credit-card details were
compromised, were first revealed by the security expert and blogger
Brian Krebs, not the company itself.
For many companies the risks of disclosure outweigh the benefits. “This
is being driven by potential adverse publicity and the fear of loss of
confidence in the company,” says Paul Simmonds, a former information
security chief at the pharmaceutical firm AstraZeneca and the current
chief executive at the Global Identity Foundation. “There is little
perceived benefit in disclosing, especially if it’s not mandatory, against
lots of risk.”
Boards of directors, charged with maintaining the share price of publicly
listed companies, are especially unlikely to sanction any more disclosure
than is strictly necessary, lest the news trigger a share price crash.
That is not to say that companies keep security incidents entirely secret.
Security and IT chiefs generally recognise the long-term benefits of
greater transparency. They realise that if legitimate businesses are
to combat the criminals who are trying to steal their data, they must
share information just as effectively.
Most of this information sharing goes on behind closed doors, through
specialist professional forums. Last year, the UK government launched
the Cyber-Security Information Sharing Partnership (CISP), which
provides member companies with a “virtual environment” through
which they can share information about current and emerging security
CISP has been well received by UK businesses, says Stewart Room, a
security specialist and partner at the law firm Field Fisher Waterhouse.
“Businesses have really embraced the idea of sharing information on
threats, risks and breaches,” he says.
Still, their willingness to share mostly falls short of public disclosure,
meaning that customers—who may be at risk following a data breach—
are left in the dark. Soon, though, European companies may be forced
to disclose data breaches in public, if proposed revisions to the EU’s
data protection rules are ratified.
New laws proposed back in 2012, and still being debated in halls of
Brussels, include a data breach notification law that would oblige
all companies above a certain size to disclose details of any breach
affecting customer data, within 24 hours of discovering it.
Backers believe this new rule will protect the right of citizens to know
what happens to information about them and will alert other businesses
to common threats.
However, the European Commission has also proposed considerable
fines for companies that fail to protect their customers’ data
adequately. Critics fear that the threat of a fine will in fact discourage
companies from disclosing data breaches.
Mr Room argues that businesses may see the new legislation more as a
trap than as a mechanism to encourage appropriate behaviour. “They
believe in sharing information and disclosing incidents in the right
way, with the right people,” Mr Room says. “But when it is a pathway to
sanctions, it does not appeal.”
In particular, many organisations believe that they should escape
sanction if they own up to a data breach, no matter how serious, as
long as they have behaved responsibly. This is not to say negligent
companies should go unpunished, Mr Room adds.
The 24-hour rule may also prove counterproductive, according to
Andrew Kellett, the principle security analyst for the IT advisory firm
Ovum. If senior management learn of a breach more than 24 hours after
it was first detected, for example, they may choose to keep quiet rather
than face a fine.
Meanwhile, Mr Kellett says, the average time it takes organisations to
detect breaches is getting longer. Research by the security company
Trustwave found that the average time to detection in 2012 was 210
days, up from 175 in 2011.
“It still takes an organisation too long to identify breaches,” says
Mr Kellett. “We’re not getting any better at detection. Indeed, we’re
Few would question the benefits of sharing information about security
incidents, but the manner in which that information should be shared
is still subject to debate. The European Commission hopes that it can
propagate a new culture of transparency with its proposed legislative
reforms, but some experts believe they could simply reinforce the code