iTnews

UK 24-hour breach notification not a big burden

By Dan Raywood on May 6, 2013 6:50AM
UK 24-hour breach notification not a big burden

Enterprises can handle it but not small biz.

A proposed 24-hour breach notification law in Britain will be a challenge for smaller businesses, but not for enterprises.

In Australia, the Federal Government has progressed its plans for a data breach notification scheme, sharing a draft bill, obtained by SC, with a small number of key stakeholders.

UK Virgin Media group information security manager Stephen Kerslake said it was not impractical to comply as enterprises that would subscribe to it already have supporting resources in place.

“For example, all the major telcos in the UK have 24/7 security operating or network management facilities whereby a report can be generated instantly,” he said.

“More so, that report will be generated from monitoring network activity across their entire infrastructure and on the detection of a malpractice or an incident, they could very quickly determine what the circumstances were and what needed reporting.

“So I don't think it is unrealistic in our terms, where it may be unrealistic is with a small-to-medium enterprise for example, who don't have the necessary resources.”

Former UK Information Commissioner Richard Thomas agreed that a one-size-fits-all-template did not work.

Only telcos were legally obliged to report a breach to the Information Commissioner's Office (ICO), while others were encouraged to report where necessary.

“The worry is, if it becomes mandatory for all organisations to report all breaches, that is really quite burdensome for small and medium businesses, and some larger ones," Thomas said.

“I also worry about the burden on the ICO's shoulders. When you have this blanket approach it becomes very difficult for any regulator to set priorities and work out what is really important, and focus resources on those areas where you need to intervene and take action.”

Duane Morris partner Jonathan Armstrong said that 24-hour reporting was not unrealistic.

“I'd rather they put their finger in the dyke and stopped the breach and stopped worrying about reporting. In the US, the time doesn't run until law enforcement leave the scene and I would like to see that. Also, if all data is encrypted, should it really be reported? Most of the US statures have that as exemption," he said.

“You also need to take into account notification fatigue; the US has got itself into a mess as people report relatively trivial breaches, so whenever a serious breach happens, people just bin the envelope. That increases the burden on everyone.”

Thomas said that the real priority is not to take steps to notify people, but to stop the breach.

Kerslake also said that an online facility for organisations to report into the ICO would be better, and said that this could be used as an awareness facility on what is important in terms of reporting and what is not.

This article originally appeared at scmagazineuk.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, UK edition
Tags:
breachdatadata breachsecurity

Partner Content

5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas
Alienated from your own data? You’re not alone
Promoted Content Alienated from your own data? You’re not alone
Vast majority of surveyed firms still rely on password authentication
Promoted Content Vast majority of surveyed firms still rely on password authentication
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Dan Raywood
May 6 2013
6:50AM
0 Comments

Related Articles

  • TfNSW finds more customers, employees impacted by Accellion breach
  • Australia's Copyright Agency investigates cyber incident
  • Oxfam Australia creates CDO role after data breach
  • NSW Education had unknown vulnerability in breached system
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

Westpac promotes its head of technology to mortgage role

Westpac promotes its head of technology to mortgage role

Digital Nation

Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.