Awareness of cyber security is increasing and its impact on businesses across the globe is starting to bite. Legal and governing institutions overseas are starting to recognise the threat – the United Kingdom Government with the Law Society of England and Wales last year produced comprehensive cyber security guidelines “10 Steps to Cyber Security”. Cyber Crime disclosure is becoming more frequent!
As part of this report, it was estimated that 93% of large corporations and 87% of small businesses reported a cyber breach. The financial impact ranged from GBP35,000 to GBP850,000. New Zealand figures are considered to be comparable however, we do not have the strict disclosure legislation as they do in most states of the USA and the EU.
Australia has been planning on introducing a data breach notification law which would require organisations to notify the Australian Information Commissioner as well as any impacted customers and clients of serious data breaches. Where Australia heads, New Zealand has traditionally followed and it is expected that New Zealand will eventually propose similar legislation. As it stands today, there is no mandatory requirement to report data breaches although guidelines been guidelines for voluntary reporting to the New Zealand Privacy Commission since 2008.
From a high level perspective, the lack of legal obligation to report means that there is a significant gap in the continuous improvement cycle. How can you address the issue when you don’t really understand the size and scope of the problem? From a more punitive perspective, how can you hope to catch and apprehend perpetrators if this information is not provided to those with the authority to bring them to justice?
Understandably, if word got out that a company had been hacked and customer information accessed, continued custom and company reputation would be at stake. A good recent example was the attack on Yahoo! Mandatory reporting is critical – it levels out the playing field for all companies and organisations. The current system with its lack of mandatory reporting inadvertently feeds the fear of disclosure and allows less scrupulous companies to keep customers in ignorant bliss. This is a lesson that Target has learnt the hard way as they are being sued by 11 customers (and possibly more to follow) for not taking adequate steps to protect their data and for not telling them about the breach before the story broke in the media.
There is obviously an education piece that is missing here and that is; we need to increase the understanding that cyber-crime is just like any other security breach. It is widely accepted that any shop, service provider or organisation can be broken into by a thug with a gun and a mask. Therefore, this same understanding needs to be applied to cyber criminals and hackers. This allows us to focus on asking the important questions – what controls or mitigations did the organisation put in place to prevent the robbery, break-in or security breach to occur? What were the security arrangements that they employed to protect your personal information? What was their information risk management regime?
If companies and organisations all have to report breaches, we can then use this information to plug the all-important continuous improvement gap to our collective advantage. After all, the aim is to make it ever more difficult to hack into systems and protect data for everyone’s benefit.