Concealing data breaches to be criminalised in the US, but what about the UK?

This week, ‘The Personal Data Privacy and Security Act’ was proposed in the US following a string of serious security breaches that compromised the sensitive data of hundreds of millions of people. This latest legislation requires US-based companies to report data breaches threatening consumer privacy – or face stiff penalties for concealing them.

While such legislation has yet to be introduced in the UK, recent research carried out by OnePoll in on behalf of IT security firm LogRhythm found that four out of five UK consumers want the UK Government to take a tougher stance on data security by introducing US-style breach disclosure laws.

While the UK is still behind the US in implementing such ‘name and shame’ legislation, it’s only a matter of time before similar laws requiring mandatory data breach notifications are implemented here.

The research clearly shows dissatisfaction with the minimal consequences organisations face when their personal data has been compromised, with 70 percent of UK consumers wanting more prescriptive regulations and 80 percent supporting compulsory data loss disclosure.

Organisations therefore need to move quickly to ensure that their security systems are ready for any data breach disclosure regulations, and that they do not fall into the trap of viewing compliance as a one-time only requirement – otherwise, they are risking severe penalties.

It is vital that organisations make better use of the data generated by systems to identify aberrant activity – all too often this information is managed in an inefficient and disparate manner. Organisations must remember that the best security systems focus as much on ensuring systems are in place to alert organisations to any misuse of data as they do about preventing intrusions.

The repeated high profile security incidents currently making the news should have proved to everyone that data breaches are now an inevitability, and today, defending networks depends on traceability – organisations need the ability to connect seemingly unique events so that anomalies can be identified and action taken to minimise damage.

Regardless of how stringent any new data breach disclosure regulations may be, it is undeniably best practice to be constantly aware of the smallest changes that occur across their IT systems, which will help to ensure major breaches do not occur in the first place. Only by attaining a deep insight into what is occurring internally will organisations be able to truly secure their IT systems and gain the public’s trust.

Ross Brewer brings to over 22 years of sales and management experience in high tech and information security. Prior to joining LogRhythm, he was a senior executive at LogLogic where he served as vice president and managing director EMEA. Ross has held senior management and sales positions in Europe for systems and security management vendor NetIQ and security vendor PentaSafe (acquired by NetIQ). He was also responsible for launching Symantec’s New Zealand Operations.