LogRhythm comments on EU cyber security law to prescribe mandatory data breach disclosure
Recently, the European Union officially proposed a new directive to require organisations in a number of industries to notify any security breaches to authorities.
The new Directive would affect enablers of key Internet services, such as large cloud providers, social networks, e-commerce platforms and search engines, the financial sector and critical infrastructure services including energy, transport and health as well as public administrations. The Directive would also force EU member states to establish a Computer Emergency Readiness Team (CERT) and to share security threat data with other states in a co-ordinated way.
Ross Brewer, vice president and managing director for international markets, LogRhythm, has made the following comments: “This new law is exactly what the public needs in order to restore consumer confidence in cyber security, which has clearly eroded across all industry sectors over the past couple of years. There is an urgent need for organisations to reassure consumers they are capable of safeguarding networks, and the public is increasingly demanding mandatory disclosure of any incidents in which data has been compromised.
“Our recent research shows that 80 percent of the UK public implicitly do not trust organisations to keep their data safe, ranking social networks and gaming sites the least trustworthy organisations. As such, it’s great to see that the EU proposal is in line with public demand by including major internet companies such as social media companies in its list of key companies required to report any IT security breaches. There are, however, some glaring omissions, with many organisations entrusted with vast amounts of high worth data seemingly unaffected by the proposed directive.
“No organisation should wait for new legislation to obligate them into maintaining a transparent IT security strategy. With data breach incidents reaching an all-time high last year and affecting an increasingly wide range of organisation in various different industries, it is only a matter of time before mandatory data breach disclosure is required across the board. With traditional perimeter security solutions now clearly an inadequate defence, organisations must ensure they have IT security in place that effectively formulates damage limitation strategies while also future proofing against increasingly stringent legislation and ensuring the generation of accurate breach notifications.”