BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

NCA says firms ‘should’ report breaches to customers

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 12 Feb 2015 18:31:42 -0700
http://www.cbronline.com/news/security/nca-says-firms-should-report-breaches-to-customers-4509916

An official from the National Crime Agency (NCA) has said that customers
should be informed when a data breach takes place.

Andrew Archibald, deputy director of the NCA's cybercrime unit, told a
security summit in Westminster that as a consumer he would expect to be
informed when a hacker successfully compromised a company's systems.

"My view as a law enforcement official is that a customer should expect to
be informed about that," he said. "I would want to know that I've been
breached and what measures I can take to be secure."

However the law enforcer recognised that his view could pose a challenge to
business in terms of reputational damage and its share price after a big
attack.

"We've seen some high profile cases such as Target and Sony and others, and
that will have an impact," he added. "There's something in that which we in
law enforcement have to recognise."

Sony shares on the New York Stock Exchange took a hit in early December
following weeks of poor publicity in relation to an attack on its movie
division, which led to the leaking a number of embarrassing internal emails
and employee data. Prices have since recovered.

Balancing his earlier comments, Archibald argued that it as "unreasonable"
for companies to share breach information with a customer until they have
fully established what had happened, and that companies sharing information
with their rivals on breaches was "really important".

Yet one point he was not sure on was the obligation of companies to inform
customers of problems unrelated to the breach they were investigating.

"If you as a company or organisation are breached then in the course of
your investigation established one of your customers' computers were
infected, do you think you now have a responsibility to let them know and
investigate?" he asked. "I think that's an interesting question."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: