Which security breaches should companies report to customers?

Firms should guard against legal claims from aggrieved clients

Firms should guard against legal claims from aggrieved clients

For any IT director the job of monitoring internet and e-mail use and investigating security breaches will give rise to a number of challenges, not least that of minimising the damage they can cause.

One area that should be addressed at an early stage is whether firms should report security breaches to customers, business partners or the police. This can be a difficult judgment, particularly where competing interests are involved.

In cases where personal customer data such as credit card information has been illegally accessed, either internally or as a result of third-party intervention, the case for notifying those affected may be strong.

Surely customers of, for example, a retail store should be told that there has been an incident so that they can notify their bank and insurers and thereby seek to limit the loss and damage they might suffer?

Some might argue that this approach is unworkable, particularly where large numbers of customers are involved. The task of tracking them down and notifying them will take time and could be very expensive.

And what about the risk of damage to reputation, particularly if the organisation is operating in the financial sector, where security is vital to retaining customer confidence? Should the risk of damage to reputation outweigh the risk of legal claims by aggrieved customers who were not notified or were not notified promptly? Would customers have a case for action under the Data Protection Act?

The reality is that each situation needs to be assessed in the light of its particular circumstances. For many organisations the approach may be to keep quiet and hope that the problem goes away without customers suffering or bringing claims against the business.

It is hard to criticise this approach (except, of course, in cases where serious crime, including sexual offences, is involved) given the risk of reputational damage and, as matters currently stand in the UK, the absence of an overarching legal requirement to notify.

On the other hand, this approach could make matters worse and only serve to increase the size of any claim that may be made. There is also the risk that police, including the National Hi-Tech Crime Unit, may take a dim view and criticise the organisation for not getting them involved earlier.

In California, steps have been taken by legislators to codify legal requirements in this area so that those who conduct business in the state are required to notify in the event of a security breach, unless steps have been taken to encrypt the data involved. This law came into force last year and is set out in the California Security Breach Information Act (SB 1386).

Nothing like this law with such a wide-ranging application exists in the UK, although the ongoing failure by organisations to notify security breaches may cause legislators in Brussels and London to act.

Any such steps would no doubt be met with opposition from the business community because of the potential burden it would place on them and the problems it could cause in terms of reputational damage.

IT directors should ensure that they have in place internal policies and procedures to cover not only the approach to be taken when investigating security breaches but also a route to senior management on external notification to customers, business partners and the police.

Mike Bywell is a partner at law firm DLA

Read more on IT risk management