ANALYSIS The US is really upping its game in the fight against cyber crime.
In the past month, the Obama administration has made some moves to protect the nation from cyber attacks, releasing its first International Strategy for Cyberspace.
Now, in the proposed Personal Data Privacy and Security Act, the US Government has recommended criminalising data breach cover-ups.
Under current UK law private companies are not required to confess to data breaches, hence why the Information Commissioner's Office (ICO) has fined public bodies considerably more.
It looks likely the UK will one day make data breach disclosure mandatory, but should we follow the US and criminalise cover ups?
The ups and downs
It's clear there would be benefits to criminalising concealing of data breaches, the central one being the extra deterrent.
"There is clearly merit in ensuring that data breaches are not hidden from those they affect, given the numerous high profile hacks that have taken place in the last six months," said Chris Boyd, senior threat researcher at GFI Software.
However, over regulation can be a stifling force. According to Boyd, smaller companies could be disadvantaged, given they don't have the same resources as big corporations to protect themselves.
"There is a worry that smaller companies will struggle to implement the same level of security protection as their much large rivals, running the risk of bad publicity, fines and further attacks," Boyd told IT Pro.
"It's concerning to think that we'd require further legislation such as this to make certain companies look at how they can improve their security instead of them doing it by default."
Certainly, companies should have security as one of their chief priorities, not just from a compliance perspective but out of respect for their customers.
Nevertheless, it would seem sensible to threaten companies with legal action. If companies can break laws and get away with it simply because they don't have to confess their sins, it makes for a pretty light-handed system. Sometimes fear is the best medicine.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
“You must do better”: Information Commissioner John Edwards calls on firms to beef up support for data breach victimsNews Companies need to treat victims with swift, practical action, according to the ICO
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
