Dave Fisher argues Europe should ratify data breach notification legislation
Data breaches are becoming as common as muck in the UK – from such high profile breaches as the Home Office data leaks to the more recent Hazel Blears lost laptop scandal. Yet, with organisations still not seeing any urgency to shore up their defences, it is high time that the government stepped in.
The recent amendment to the EU’s ePrivacy Directive to include the notification of security breaches is certainly a step in the right direction, while the House of Lords’ amendment to the Criminal Justice Act, making it a criminal offence to lose personal data ‘recklessly or maliciously’, has now been ratified by the House of Commons, gearing the UK up to enforce the directive.
The EU amendment, which will be voted on at the end of this year, will require all organisations that experience data losses or breaches to notify national regulatory authorities – in the UK’s case, this is the Information Commissioner’s Office (ICO). While one side of the argument fears that the ICO may be overrun by minor incidents, the fact is that even in the wake of high-cost breaches, UK organisations are not taking responsibility and facing up to the severe consequences that these breaches can have.
Aside from putting employees, customers and, in the case of healthcare organisations, patients at risk, data breaches can have a significant impact on an organisation’s reputation and bottom line. In fact, a recent survey from the Ponemon Institute found that data breaches cost UK companies an average of £47 per record lost, which translates to roughly £1.4m for the average company. And, what may be even more alarming is that Ponemon estimates customer churn rates can go up by an average of 2.5 % after data losses occur, which can have a much more long-term effect on the business.
There is a whole raft of technology available now that is designed specifically to help protect even the most sensitive of information, begging the question – is it really worth putting your entire business on the line? Many companies are starting to understand the critical nature of these situations and are looking to encryption software to help ensure only those eyes authorised to see certain information can do so. While this is no doubt a good start, it still isn’t enough. Given that most data breaches occur from lost laptops, one solution is to remotely lock-down laptops and all of the data held within them.
While data security is starting to move up the ranks on the IT agenda, businesses need to understand just how mission critical it is right now – and not in six months’ time when the EU directive is voted on.
Although passing such a law across the EU would help push European organisations towards better protecting their data, UK companies would do well to start adopting data protection now, rather than incur hefty fines from the EU itself – or worse, risk major brand and reputational damage because of a publicly disclosed data breach that could easily have been avoided.
Dave Fisher is business development manager at Alcatel-Lucent