Corporate reputation is fragile and businesses are highly vulnerable to anything that challenges or damages it. Most businesses appreciate the benefits that are derived from having a strong, positive reputation and the perception their product holds as a valued commodity retaining loyal customer trust. Reputational damage can be tricky to measure and is difficult to realize financially until an incident occurs which can undermine an organization’s reputation to its very core.
Reputational risk is defined as a loss resulting from damages to an organization’s reputation in terms of lost revenue or diminished share price. Reputational risk can be a matter of corporate trust, but frequently serves also as a tool in crisis prevention by focusing attention on handling threats to reputation once a situation occurs. Crisis management is not risk management and is a reactive approach to damage limitation through an event which has already happened.
Hard-to-assess, intangible reputational assets such as corporate reputation, goodwill and brand integrity maybe difficult to quantify, however according to a recent study conducted amongst 230 board directors, it was reported that after financial risk, reputational risk appears to be the biggest concern for board directors:
73 % of board directors said reputation risk is their biggest risk after financial risk (+19% on the previous year comparative study)
Regulatory and compliance risk was ranked as a concern by 56% of respondents - 20% behind reputational risk.
More than 60% of respondents stated that internal audit departments were helpful in identifying risk. The percentage rose to 73% for directors on public boards.
Directors reported that their boards were doing Very Well or Well Enough in identifying risk through Regular Board and Committee Meetings (90%), External Auditors (84%), Accounting Departments (80%) and Risk Management Insurance Providers (67%).
The study also highlighted figures for implementing a comprehensive enterprise risk management program which showed:
33% have a comprehensive program and it is fully implemented
27% have a program but it is not comprehensive
14% have a program but it has not been adequately implemented
Reputational risk is a culmination of factors which can include regulatory legislation; financial/governance standards and IT & operational risk. Managing reputational risk must begin by having a clear and unified understanding of what type of risk poses greatest threats and potential damage to a corporate reputation. Companies should know the most common type of threats and take reasonable measures to prevent them through technology and internal policy controls.
Data security breach has gained considerable momentum and adverse public attention in recent years as the incidence of data exposures increases in notoriety. The reputational damage arising from a serious data breach can be significant and poses vast financial, legal, and reputational risks to business. There’s no doubt, that high profile data breaches by both the private and government sectors have contributed to the impetus to proposed mandatory data breach notification laws and legislation.
Recognizing the risks presented by data security breaches and managing them proactively before an event occurs is critical to protecting and enhancing good corporate reputational standards. Data threats can be averted and controlled through monitoring and efficient responsive reaction to vulnerabilities as they arise. Automated data discovery audits provide an ongoing surveillance and management methodology of data environments, helping organizations to manage reputational risk and ensure that compliance standards are met through reliable and ongoing risk assessment.
Written by Damien O'Donnell, Key Account Manager, UK & Ireland
Wednesday, 19 June 2013 09:49
UK Data Breach Costs on the Rise
Data breaches suffered by UK organisations could cost as much as £2 million per incident according to the latest report study conducted by the Ponemon Institute titled the Cost of Data Breach 2013. The average cost per compromised record has risen from £79 in 2011 to £86 which compares to an average cost of £47 in 2005 per compromised record.
The study looked at 38 reported incidents which ranged in size from 3,500 records breached to just over 70,000 records, with the average incident size being 23,000.The average incident now costs firms £2.04 million each which has increased from £1.75 million last year. The research tracks a wide range of cost factors, including outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support.
The study looked at the direct and indirect costs incurred by 277 companies across the US, UK, Germany, France, Australia, Italy, Japan and Brazil after the loss or theft of protected personal data. Globally, the average cost of a data breach has gone up from $130 per record in 2011 to $136 per record, globally. The cost-per-record is higher in theUS, at $188 per record, but that is down from 2011 when the average cost was $184.
According to Larry Ponemon, Chairman of the research firm ‘while external attackers and their evolving methods pose a great threat to companies, the dangers associated with the insider threat can be equally destructive and insidious. Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today, up 22% since the first survey’ stated Ponemon.
The report found that while negligence is the main cause of data breach, 37% of data breaches involved negligent employees or contractors, while malicious or criminal attacks have grew slightly from 31 to 34% of data breaches, making this the most expensive type of breach at £102 per compromised record.
With more than a third of data breaches in UK involving neglectful employees or contractors the human factor appears to be the weakest link which would suggest that businesses could benefit from improved training, awareness and policy initiatives in a bid to improve data security.
With businesses facing tougher penalties when the new EU Data Protection Directive comes into effect, penalties for failing to secure personal data under the proposed legislation could see European organisations facing potential fines of up to 2% of their turnover for breach of the law. With this prospect, businesses need to ensure that reasonable measures are deployed to protect the personal information it holds from misuse, loss, unauthorized access, modification or disclosure.
This requires a forward-thinking combination of measures designed to educate employees, identify vulnerabilities and detection of misuse and loss of confidential public information:
Robust network security solution
Enforced security policy
Communication and training of staff
Ongoing risk assessment, reporting and redress of data vulnerabilities
Businesses who do not protect their data, are not only facing expensive direct costs from cleaning up a data breach, but also a loss in customer confidence and reputational damage which has long lasting ramifications. Businesses simply can't afford to ignore protecting the valuable, sensitive data they have been entrusted with. The task of implementing security structures and monitoring controls may seem arduous but when compared to the potential breach cost, it’s a far more obvious route.
The recurring process of data auditing and monitoring is a highly effective and efficient means to achieving data protection and compliance standards. The process helps organisations to understand what unsecured data they own and take the necessary remediation steps to protect it. It enables businesses to demonstrate a greater ROI through improved efficiencies which help to reduce costs and optimise resource time associated with managing and safeguarding critical data entities.
Data discovery is an essential cornerstone of risk assessment as it provides visibility to understand what unstructured and unsecured data an organisation owns, realise its importance and make informed decisions about how it should be controlled, managed and protected. PixAlert’s enterprise data audit solutions help organizations to discover, classify, monitor and protect unsecured, critical data across enterprise networks and enables businesses to reliably manage risk, improve security processes and continuously maintain compliance standards.
It’s estimated that unstructured data is expanding at a rate of 20% per annum and that it can constitute as much as 80% of most organisation’s total information assets. Industry analyst Gartner1 characterizes unstructured data as ‘content that does not conform to a specific, pre-defined data model. It tends to be the human-generated and people-oriented content that does not fit neatly into database tables.’
Unstructured corporate data takes many shapes and forms within business documents including reports, letters, spreadsheets, presentations, Powerpoint files, scanned images (JPEGs, PDFs, TIFF), photos, audio, video, e-mail messages and attachments and external data. It includes any misplaced, legacy or unsecured information that can be found ‘anywhere and everywhere’ across a network on any device including servers, desktop PC’s, laptops, mobile devices, thumb drives, backup drives, online backups.
Although unstructured data represents a rich and necessary source of corporate information, vast volumes residing unsecured on networks poses serious security and confidentiality risks when overlooked or left unmanaged. In reality, most businesses are unaware of these risks as they don’t know where this data exists or what form it takes and are therefore oblivious to the significant threat that it poses.
Industries governed by data compliance regulations like PCI; HIPAA; SOX; FACTA, GLBA are obliged to protect information like highly sensitive health, financial, credit holder data (CHD), personally identifiable information (PII) and therefore must have the ability of take stock of both structured and unstructured data in order to be fully comply to regulatory responsibilities. In lacking a governance process for handling unstructured data which represents a significant proportion of a businesses’ overall data environment, it can seriously undermine their overall data security and compliance effectiveness.
The starting point of any compliance and data security programme is to have an understanding of what unstructured data an organisation owns, identify where it is located, who has access to it and how it is managed. Gaining a clear knowledge of where unstructured and legacy data resides within an environment is critical to achieving good security and compliance practice. In other words, before you can protect your data, you must find it.
TIPS FOR SAFEGUARDING UNSECURED DATA
Categorise Data Critical to Your Business
Define and categorise the types of data that are important to your business, this can include specific data types ie. CHD; PII; sensitive financial or employee data; intellectual property etc. or a combination of data sorts ie. particular documents containing credit card data
Assign Ownership and Accountability
Identify key stakeholders who are responsible for handling particular data and create policy and rules to ensure that protection levels are clearly communicated, recognised and agreed.
Gain Vision of Unstructured Data
Discover and detect where unsecured, unstructured data at rest is stored throughout a network and email environment. In order to understand where data at risk vulnerabilities exist, visibility of entire network resources is essential to ensuring that all un-obscured data risks are quickly and routinely detected.
Classify and Remediate
Once sensitive data that needs protected is identified, businesses need to implement corrective action through classification and remediation procedures. Not all legacy data is worth protecting and therefore should be eliminated. Data with greatest value and impact on the business should be prioritized through appropriate protective levels.
Assess Risk, Measure and Monitor
Implement monitoring controls to ensure that potential data threats and vulnerabilities are continuously monitored through on-going risk review. This process should be automated so that recurring assessment is routinely conducted, reported and continuously evaluated. This step is important for documenting regulatory compliance and helps to drive improvements by detecting and eliminating root causes for unsecured data, potential breaches and audit deficiencies.
MANAGING THE UNKNOWN
PixAlert’s easy-to-use data discovery, classification, remediation and monitoring platform helps organisations to efficiently manage unstructured, sensitive corporate information and reliably manage risk, improve data security, increase operating efficiencies and achieve regulatory standards through a recurring automated process of:
Rapid discovery and identification of data exposures
Remediate issues and execute corrective controls
Eliminate duplicate and legacy data stores of no value
Map data protection levels to business information needs
Enable best practice user policies and standards
Control the risk of data breach
Manage a more efficient and cost effective path to compliance
Having a comprehensive insight into where unstructured and legacy data resides on a network is critical to controlling risk and minimizing its impact. Managing the unknown through proactive visibility controls helps to enforce reliable security process, identify data vulnerabilities while demonstrating optimum compliance posture.solution or contact us today on
Following closely in the footsteps of proposed new US and EU enforcement of compulsory breach notification, it appears that the Australian Government is getting ready to introduce their long awaited and overdue notification scheme.
The release this month of the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 gives the strongest indication to date that the government is serious and ready to enact mandatory breach reporting from as early as July 2013 this year, with a grace period for companies to comply. Australia doesn’t currently enforce data breach notification law, within their existing system the federal government recommends that organisations notify the Office of the Australian Information Commissioner (OAIC) if a breach poses a “real risk of serious harm.”
The Exposure Draft provides the first real insight into the Government's approach to how the scheme might operate. According to SC Magazine who first reported on the draft bill ‘it appears to take a conservative approach in its demand for data breaches to be reported, with only classifications of serious data breaches considered’.
Proposed Notification Rules Under Draft Privacy Amendment Bill
A data breach would be considered serious if an organisation is delinquent in its requirements under the new Australian Privacy Principles to take reasonable steps to secure customer personal information.
Breached data, lost or stolen, would need to expose customers to a "real risk of serious harm" and could be subject to unauthorised access or disclosure.
Repeat and serious offenders face financial penalties of up to $340,000 for individuals or $1.7 million for organisations. Small-scale offenders could be taken to court and fined up to $34,000 for individuals, and $170,000 for organisations.
Organisations could also face fines if their outsourcer is breached under the draft bill. If personal information is sent overseas, the sender (as the guardian of the data) is required under APP 8.1to reasonably ensure the receiving company does not breach privacy law
Data loss stemming from a lack of due diligence in protecting credit reporting and credit eligibility data was also considered a possible serious breach
Organisations could also face serious breaches if Tax File Numbers were lost or stolen without first being reasonably protected.
Law enforcement departments were exempt under the draft bill to avoid risking prejudice against agency operations.
Operators of the Personally Controlled Electronic Health Records must already report breaches and will not have to report again under the proposed laws.
Preparing for Breach Notification
Although rules pertaining to the breach notification law have yet to be finalised, new reporting procedures on the horizon in Australia, US and Europe require that businesses address data protection seriously and proactively prepare so that sufficient security controls exist. It’s wake-up call for business to assess their data security requirements and implement adequate data security controls to address risks and improve efforts to prevent breaches.
The prospect of hefty penalties along with more stringent procedures may be an additional burden for many businesses but it is deemed to be a necessary requirement in ensuring that the guardians of consumer and personal data to become more compliant in their approach to protecting it.
In advance of legislation approval, organisations across all industry sectors need to assess their security controls and ensure that adequate measures exist to protect consumer data through improved review, reporting and control procedures of unsecured and sensitive data.
The current notice period, gives organisation’s some breathing time to prepare and get their affairs in order by deploying best practice procedures and enforcing policies which will bring about more clarity and protection on the amount of unstructured and sensitive data that they own, where it is stored and potential compromises.
‘Before You Can Protect Your Data, You Must Find It’
PixAlert deploy world-class scalable enterprise data audit solutions which enable organisations to discover,classify and protect unsecured, critical data across enterprise-wide network helping businesses to manage risk, improve security processes and maintain compliance standards. For further information contact www.pixalert.com
Reputational damage, financial & compliance failures highlighted as main concerns
UK state and local authorities face an enormous task when it comes to handling, sharing and managing public data and need to develop a more efficient approach to ensure that they are doing all within their power to protect the sensitive information that they control. Data loss or theft through human error or malicious intent is a costly and damaging occurrence, particularly at a time when increasingly high expectations in public office standards and expenditure are at the forefront of scrutiny.
An independently commissioned study amongst 227 UK public sector managers on their attitude to information security has revealed that data loss and the consequence of reputational and financial damage to their organizations is posing a serious concern to ICT professionals. The study was collected from 247 unique public sector organizations including the NHS, City and local Councils, Universities, Trusts, Central and Local Government and the Police.
MAIN FINDINGS OF STUDY:
62% cited accidental data loss as the biggest threat to their security
Respondents claimed that the most damaging consequence of data breach were
Reputational damage 31%
Financial consequences 20%
Compliance , policy issues 18%
50% were concerned that social media channels posed a significant risk
90% considered information security to be important when selecting business partners
66% believe information security is not only important but a high priority
93% frequently exchange information between agencies and business partners with 83% containing sensitive information
The encouraging news from this study is that there appears to be high levels of awareness amongst public sector organizations on the importance of information security and their responsibility in protecting public data. However, this is marred with genuine concern from the threat, consequence and penalties that arise if an organization fall’s victim to breach.
The survey also suggests that public sector organizations think about security when partnering with other entities but aren't doing enough to secure these relationships. This highlights the need for better enforcement of security process and policies by collaborative organizations to ensure better protection procedures against data loss and a clearer understanding of joint responsibilities.
All considered the public sector has taken a big step in the right direction however as frequently reported by the ICO (Information Commissioner’s Office), many public sector organizations are still falling short by not taking the risks seriously and failing to implement adequate security measures.
TACKLING THE ISSUE
Through working closely with leading UK Public Sector thinkers, PixAlert have created an effective strategy for ensuring a common interpretation and application of UK public sector security requirements like the PSN/CoCo standard (Public Sector Network – Code of Communication) in addition to offering an essential data protection, risk assessment and compliance enabling solution.
PixAlert takes a practical approach to saving vast amounts of time and resources through an efficient and easy-to-use data discovery, classification and continuous monitoring platform which can be configured in accordance with PSN CoCo and other data protection compliance guidelines. Through client specific controls and protective classification markings, sensitive data can be appropriately stored, handled and secured while continuously assessing obscured risks.
The solution allows public sector organizations to realise a greater return of investment through enhanced efficiencies which will help to measurably reduce costs and optimise resource time associated with managing critical data entities:
● Evaluate the true scope of controls and compliance procedures
● Enforce best practice standards
● Ensure that key information assets are secure and resilient
● Reliably protect and manage sensitive data.
Public Sector organizations need to embrace the benefits that can be gleaned through regular auditing practice and understand the broader and more positive implications that this process can deliver when integrated as part of an overall security programme. By demonstrating this, sensitive public data and the reputation of those responsible for managing it, can be protected; data breach fines averted and optimum performance and efficiency value achieved.
For further information on PixAlert’s data auditing solutions contact
or gain an immediate insight into data vulnerabilities by testing PixAlert’s free data auditor trial. www.pixalert.com
Article Author: Vivian Cullen
Date: 29th April 2013
Last Updated on Friday, 26 April 2013 15:43
Written by Damien O'Donnell, Key Account Manager, UK & Ireland
Monday, 08 April 2013 11:24
Managing Illicit Network Images - Policy, Process & Enforcement
Research from the Kansas State Universityon cyber-loafing (wasting work time on the Internet) and the effectiveness of user-policies in dealing with the issue, has found that corporate policy alone isn't a sufficient deterrent in managing cyber-loafing and that a combined effort of sanctions enforced with policy and technology need to be applied.
Cyber-loafing has become a real and persistent problem for many organisations with suggestions that a preventative approach of acceptable use policies (AUP) combined with mechanisms designed to monitor employee internet usage and detect unauthorised usage, is the most effective way to manage the issue.
Employees’ misuse of company computer resources can lead to a host of problems for organisations from lost productivity, wasted computer resources and e-viral infections to serious business interruption, reputational damage and security breaches leading to civil and criminal lawsuits. According to International Data Corporation cyber-loafing (or skiving) is estimated to account for 60% of all online purchases made during working hours and it is estimated that 25% of corporate internet traffic is unrelated to work.
Security Pros Upbeat on Data Protection & Risk Management Efforts
According to the annual 2013 SC MagazineGuarding against a Data Breach survey, more IT security leaders than ever think that their organizations are making greater strides in safeguarding critical corporate and customer data. However optimism and good intentions don’t always stack-up particularly when the incidences of security breaches continue to escalate, generating negative publicity and imposing hefty financial penalties on organizations. With the rise in breach, more respondents to this year's data breach survey agree that the threat of a breach, loss or exposure is greatly influencing their organization's security initiatives.
From the survey findings, the most significant factor affecting data protection strategy is statutory regulations. More organizations appear to be realizing the value of proactive data security initiatives and having to be compliant to regulations like PCI DSS, HIPAA and ISO 27002 is driving them to implement improved measures rather than wait for an incident or failing a security audit.
Written by Niamh Hayes, Marketing Advisor, PixAlert
Wednesday, 27 February 2013 13:34
Lacklustre Data Security Practice under Scrutiny
The UK data protection watchdog the ICO have expressed their growing lack of tolerance against shoddy data security practice by calling for more extensive compulsory auditing of local government agencies and in advising businesses to adapt more preventative measures in protecting confidential customer information.
According to the ICO, compulsory data protection audits of councils and the NHS are needed in order to eliminate basic error. The Information Commissioner, Christopher Graham told MPs that taxpayers were losing out when public bodies were fined for mistakes in handling sensitive information and said that consensual voluntary audits had in some areas proved a success.
He went onto say that while the UK Department of Health were supportive in principle of audits in parts of the health service he said that the Department for Local Government remained to be convinced and he hoped to persuade ministers of value of audits. ‘Until local government gets the message, local council taxpayers will continue to be hit by civil monetary penalties for really stupid basic data errors’ commented Mr. Graham.
Recent research from Deloitte has highlighted that firms in technology, media and telecommunications (TMS) are confident that they are safe from cyber attacks and data security breaches.
- 88% of companies surveyed don’t think they are vulnerable to an external cyber threat
- However 59% have experienced a security incident in the last year
- Just half have a documented response plan in place
In Deloitte’s sixth annual Global TMT Security Study 68% of companies said they understood their cyber risks and 62% had a programme in place to sufficiently address them. Yet in the past year, over half 59% said they had knowingly experienced a security incident. With this many successful attacks, companies should treat breaches as inevitable and invest significant time and effort in detection and response planning, so that they can bounce back quickly when it does happen. However, only half of companies have this type planning in place.
Despite initial confidence on being safe from security incidents, 74% voiced concerns over third party breaches, and 70% indicated that employee mistakes were a major threat, with lack of security awareness being cited as a major vulnerability. Only 48% of companies, however, offered security-related training.
Written by Niamh Hayes, Marketing Advisor, PixAlert
Tuesday, 29 January 2013 09:34
The Legal Hazards of Data Breach
The 2012 Ponemon Institute survey of 583 IT and IT US security professionals found that 90% of the organisations they represented had suffered at least one data breach. Likewise, a recent report from Verizon found that 174 million data records were loss in 855 separate incidents. In the aftermath of a breach, apart from the damning financial, reputational and operational implications to a business, the consequences also create a myriad of litigation issues which need to be seriously considered when determining how to plan and respond to a data breach.
The laws that apply to data breach litigation are still evolving and until recently, consumer plaintiffs have met with little success in the courtroom, but this could be likely to change as consumers become increasingly aware of their data protection rights and as regulatory laws enforce greater powers. Courts may soon recognise that individual’s have a reasonable expectation for their personal information to be properly protected and that a data breach violates this expectation.
Identifying the Weakest Link in Data Security Defence
It is widely acknowledged that organisations who make efficient use of their data are better positioned to gain competitive advantage in the marketplace. Data like intellectual property, sensitive customer information and credit card data can be a huge liability to an organisation if it falls into the wrong hands, is leaked or left lying dormant on a network.
In helping to improve the efficient use of data while also enhancing data protection and compliance standards, one information security expert claims that organisations need to take heed from the U.S. Department of Defence (DoD). According to Andrew Serwin, CEO of The Lares Institute, a think tank focused on technology, privacy and information governance, ‘the cyber risk is an asymmetric threat –organised actors who try to use information against us, create an information imbalance to find the weakest link and then attack.’
That weak link may not necessarily be within the organisation. For instance, if a particular supplier doesn't follow the same security protocols as the company, an attacker could penetrate that supplier's defences and from there move up the chain into the network.
Information Superiority - Optimize Risk
According to Serwin, information and not technology is the underlying threat, and he advocates a doctrine that originated from the DoD referred to as information superiority. The DoD command and control their information domain, so if applying this theory to private industry, it means prioritising the superior use of information in order to minimise data risk, increase profit, reduce costs and protect against reputational damage.
A series of serious privacy events relating to the disclosure of government-held information, has led NZ privacy commissioner Marie Shroff to label 2012 ‘the year of the data breach’ within the Commission’s annual report which was recently published.
The report singles out the Accident Cover Compensation’s (ACC) unintentional release of data on more than 6500 clients in March and the more recent leakage in the Ministry of Social Development’s kiosks. ‘The public sector can't afford to be complacent and it’s clear that agencies holding large amounts of personal information need to place greater value on that information asset’ stated Ms Shroff, ‘they need to develop strong leadership and a culture of respect for privacy, as well policies and practices to provide trustworthy stewardship of our personal information at every level of the organisation’ commented Ms Shroff.
UK Local Government Lag Behind Private Industry on Data Protection Compliance
The UK’s information watchdog the ICO has warned that the NHS, local government and Whitehall bodies are falling behind the private sector when it comes to data protection compliance. It has sparked new concerns about personal data security in the public sector, re-emphasising the ICO’s call for new compulsory audit powers to stop breaches of the Data Protection Act.
In a recent interview, Louise Byers, Head of Good Practice at the Information Commissioner's Office (ICO) said there was an inherent risk in sectors like the NHS and local government because of the extremely sensitive information that they hold. This was one reason why the two sectors were receiving the bulk of data breach fines, which can reach up to £500,000 per penalty.
Written by Damien O'Donnell, Key Account Manager, UK & Ireland
Wednesday, 21 November 2012 13:38
Enforcing Robust Policies on Workplace Pornography - New Study Identifies Five Common Types of Employee Participation
Employers must have in place a strict policy regarding pornography in the workplace if they are to avoid legal action from sexual harassment and discrimination charges, according to a study by Craig Cameron of the Griffith University, Australia. Writing in the International Journal of Technology Policy and Law, Cameron identified five primary methods of what he refers to as pornography participation that require specific policies to protect both employer and employee in almost any jurisdiction.
According to Cameron, technology has allowed pornography to infiltrate the workplace, which now means that employment policies and rules must be put in place to ensure employees can enjoy their legal right to a safe workplace free of sexual harassment and discrimination. He has investigated the problem of workplace pornography from the perspective of Australian employment law but points out that the same technological and social issues are present in almost every country. His findings could point employers in Australia and elsewhere to the creation of a robust policy on the use of pornography in the workplace.
Written by Niamh Hayes, Marketing Advisor, PixAlert
Monday, 12 November 2012 12:47
Clock Ticking for Businesses to Face Up To Tougher EU Data Breach Penalties
EU Businesses will face tough penalties for failing to secure personal data under proposed legislation which could see organisations facing potential fines of up to 2% of their turnover for breach of new EU data protection law. The draft data protection directive, which is due to come into force over the next couple of years, will impose a raft of new obligations on businesses, including a statutory requirement to report data breaches.
Tighter Data Protection Rules
Under the proposed rules, businesses will be required to report any data breaches to regulators within 24 hours and to notify the public if data is at risk. The move would act as an incentive for businesses to improve the security surrounding their data. Already within the US, breach notification requirements work as an incentive to tighten security however, the law only applies to certain types of data whereas in Europe, new legislation will apply to any data type.