ENISA: Data breach notification regulation could divert attention from causes

Tools

Proposed regulatory action by the European Union that would require quick data breach notification by Internet firms that control or process personal data could lead those companies to focus on symptoms rather than causes of cybersecurity vulnerabilities if not augmented by other regulations, says a new report from the European Network and Information Security Agency.

The EU agency notes in a June 2012 report (.pdf) that the Justice and Fundamental Rights Directorate General proposed updating existing data protection regulations so that European companies undergoing a data breach would be required to notify a supervisory government entity as soon as possible--ideally within 24 hours.

Those proposed rules could have the effect of incentivizing firms to focus on remediating the loss of reputation caused by data loss rather than on the direct and immediate costs of the data breach, say ENISA report authors, who write mainly about the current state of the European cyber insurance market.

"It may thus be seen that like many other areas of regulatory intervention, it addresses the symptoms and not the cause of cyber-security problems," they add.

A data breach notification requirement might have to be accompanied by other regulatory actions, report authors say, including permitting data breach class action suits in European courts, robust valuation of the cost of data breaches and mandatory cyber-insurance.

Although potentially ineffective as a stand-alone measure, data breach notification would in turn support creation of a stronger European cyber insurance market by reducing informational asymmetries. A paucity of information of cyber incidents is often cited as a reason for a hobbled cyber insurance market, report authors note, despite the increasing prevalence of government agency or anti-virus firm surveys and estimates on cyber attacks and their costs. Unlike other barriers, a lack of information hobbles both sides of the market--insurers and insurees.

Report authors also approvingly cite a Securities and Exchange Commission 2011 rule requiring public firms to disclose the risk of cyber incidents, stating that it is meant to trigger firms into buying cyber insurance in order to communicate to the market that they are properly managing cyber risk.

For more:
- download the ENISA report, "Incentives and barriers of the cyber insurance market in Europe" (.pdf)

Related Articles:
EU emphasizes data ownership, portability
Obama administration not against cybersecurity liability protection, says McConnell 
Spend less on cyber-defense and more on prosecution, says report