Prepare now - mandatory data breach disclosure is on its way

We have Sony to thank for raising the bar of the world’s biggest data breaches – with some 100 million people potentially affected by the hack on its Playstation Network. That goes quite a way to beat the UK’s previous best – the notorious lost HM Revenue & Customs CDs containing the details of 25 million child benefit records.

There’s been a bit of a flood of incidents lately –, Lush, RSA among them – which can only suggest that years of education and learning on risk management and protecting networks has not been entirely successful. In many cases, the hacks have not been especially sophisticated, but they have been determined and well targeted. There will never be a better security strategy than vigilance.

At a recent Computer Weekly event, IT security expert Peter Sommer, a visiting professor at the London School of Economics, highlighted the simple truth that cyber attacks will happen, no matter what. His blunt advice was to assume you will be hit – and that the most important part of IT security should be contingency planning.

Be prepared, as Boy Scouts would say, and have plans in place for how to deal with a cyber attack when it happens. This has been a particular weakness for Sony, whose slow response to the data breach and poor customer communication in the aftermath have been widely criticised.

But before long it is likely to be about more than just good planning, as IT leaders will need to also be prepared for the day, coming soon, when mandatory data breach notification becomes law for all. This month, the European Union introduces data breach disclosure laws for telecoms companies and ISPs – and even if the new legislation only affects those sectors now, their very existence is a sign of the EU’s direction of travel in information security regulation.

Lawyers fully expect the laws to be extended to cover more and more organisations – so now is the time to prepare.