Thales Blog

An unexpected finding: Companies want to tell the market when they’ve been affected by a data breach – now that doesn’t sound right does it?

August 18, 2010

According to SC magazine, a survey has found that 87 per cent of companies would prefer mandatory disclosure of data breaches. With many companies failing to implement adequate data security, combined with the potential for fines and an almost certain impact on corporate image following a breach, this statistic doesn’t seem to stack up.

Perhaps companies don’t think that they will be the one to fall victim to a breach? Maybe there is the perception that any requirements mandated by the regulators would be fairly minor?

Whatever the thinking may be, if or when data breach notification is introduced more widely, regulators must ensure it is flexible enough to evolve over time. In the same way that the threats, and the security measures necessary to counter these threats, evolve, so too must disclosure laws. For, eventually the press will get bored with disclosure stories and won’t cover them, unless of course they are the ‘biggest yet’. The net result? Everyone becomes desensitized.

If disclosure laws are to carry sufficient clout, they must be accompanied by consumer watch agencies that actually score companies on their track record in managing privacy. For companies today, data security might be about staying out of the headlines and avoid the one time hit but, once someone starts to keep track, attention will focus on maintaining a good score and not throwing away years of effort to build up a good security rating with a single breach incident. There are already sites that monitor disclosure for public records, but they don’t analyse and generate scores. Only when a simple rating system – that allows a comparison of the companies with the best and the worst data security track record is in place, will disclosure laws grow some teeth, particularly for small and medium size breaches, and affect a step-change on business behaviour and buying decisions.