BreachExchange mailing list archives
NCA says firms ‘should’ report breaches to customers
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 12 Feb 2015 18:31:42 -0700
http://www.cbronline.com/news/security/nca-says-firms-should-report-breaches-to-customers-4509916 An official from the National Crime Agency (NCA) has said that customers should be informed when a data breach takes place. Andrew Archibald, deputy director of the NCA's cybercrime unit, told a security summit in Westminster that as a consumer he would expect to be informed when a hacker successfully compromised a company's systems. "My view as a law enforcement official is that a customer should expect to be informed about that," he said. "I would want to know that I've been breached and what measures I can take to be secure." However the law enforcer recognised that his view could pose a challenge to business in terms of reputational damage and its share price after a big attack. "We've seen some high profile cases such as Target and Sony and others, and that will have an impact," he added. "There's something in that which we in law enforcement have to recognise." Sony shares on the New York Stock Exchange took a hit in early December following weeks of poor publicity in relation to an attack on its movie division, which led to the leaking a number of embarrassing internal emails and employee data. Prices have since recovered. Balancing his earlier comments, Archibald argued that it as "unreasonable" for companies to share breach information with a customer until they have fully established what had happened, and that companies sharing information with their rivals on breaches was "really important". Yet one point he was not sure on was the obligation of companies to inform customers of problems unrelated to the breach they were investigating. "If you as a company or organisation are breached then in the course of your investigation established one of your customers' computers were infected, do you think you now have a responsibility to let them know and investigate?" he asked. "I think that's an interesting question."
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- NCA says firms ‘should’ report breaches to customers Audrey McNeil (Feb 19)