Cyberattacks: To notify or not to notify?

Article by Lucy Hook – Insurance Business Magazine
23 November 2017

In the case of a data breach, whether a company notifies its customers and any regulators, or not, can have a significant effect on how the event plays out – just ask Uber.

This week, it was revealed that the ride-sharing giant suffered a major data breach in 2016, which it then concealed for more than a year. Data compromised in the attack included names, email addresses and phone numbers of 50 million Uber riders around the world, and the personal information of about seven million drivers, according toBloomberg.

Instead of reporting the breach, Uber paid hackers $100,000 to delete the data and keep the breach quiet. As a result, its chief security officer Joe Sullivan, along with one other employee, has since left the company.

But what are the rules when it comes to notification of a breach, and what are the potential effects of failing to do so?

In the UK, there is currently no mandatory requirement for companies to report data security breaches to the Information Commissioner’s Office (ICO) or to affected individuals, but that is about to change.

“When the General Data Protection Regulation (GDPR) comes into effect, businesses must notify the regulator and data subjects when a breach has occurred,” Nick Limb, executive director of insurer NMU told Insurance Business.

The GDPR, which comes into force in May 2018, will raise the stakes when it comes to how businesses handle data protection and the ramifications where they fail to meet standards – including a potential fine of up to €20 million (£18 million) or 4% of group worldwide turnover.

“Dealing with data breaches properly as soon as they are discovered is important, and an organisation should seek specialist advice if they don’t have internal expertise to deal with breaches,” Limb explained. “Covering a breach up could be more damaging when it eventually comes out, especially if not notified as required by regulation.”

Even where not required by law, notifying regulators and the public is becoming more and more important, according to Gareth Lindahl-Wise, director of cyber risk at ITC Secure Networking.

“Some legal territories have mandatory breach notification requirements, and an expectation of disclosure and transparency is growing in those that don’t,” Lindahl-Wise said.

“Breaches are going to happen. It is not if, but when. Ideally, you would be able to demonstrate that you have made risk assessments and applied appropriate controls, and that you have managed the breach to the best of your abilities, including any regulatory and customer engagement,” he continued.

Those companies that do take this approach will likely experience less of a negative impact to their reputation should they suffer an event, according to the director.

“Hiding issues is not an option that boards should entertain or allow to be entertained,” he said.

As for Uber’s breach, the key question in this situation is what process was followed, according to Lindahl-Wise.

“Was this sanctioned and if not, how could the governance and compliance processes not pick it up? This comes at a challenging time with Uber, given other behavioural and governance issues which have made the press recently,” he said.

Pointing to the recent change of leadership – Uber co-founder Travis Kalanick was replaced by Dara Khosrowshahi as CEO in August – Lindahl-Wise added that the timing of the breach “may reflect back on the ‘old’ regime rather than the new.”