lolloj - Fotolia
In the U.K., an insurance industry organization called for the government to establish a database where companies would have to "record details of cyberattacks." The purpose, according to the organization, would be to give companies offering cyberinsurance policies more data to assess premiums. But won't keeping a database of enterprises' cyberattack information be a violation of the laws and regulations protecting this type of data? How would such a cyberattack information database affect companies that are in both the U.K. and the U.S.?
Current data breach notification laws in many jurisdictions require organizations to disclose to the government and individuals when their information is compromised during a cyberattack. The recent proposal from the director general of the Association of British Insurers (ABI), Huw Evans, would go beyond this common standard and make it mandatory for companies to record detailed cyberattack information in a database created by the U.K. government.
The ABI is proposing this initiative to collect better cyberattack information so that insurers can improve their assessment of risk and their pricing for cyberinsurance. To counter fears of reputational damage to companies that disclose breaches, the ABI suggests anonymizing the data and limiting the use of the cyberattack database to insurers. On the other hand, the ABI wants a wider range of industries than just those providing essential services to provide detailed cyberattack information.
It remains to be seen if the ABI's proposal gets any further, and if so, the extent and type of details that companies would have to supply. U.S. companies are familiar with the data breach notification requirements contained within state and federal laws and industry regulations. By the time the ABI proposal reaches any enforceable state, it may resemble those laws. The biggest variable here will be the level of detailed cyberattack information required to comply with the requirement.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out whether or not companies should share data breach information with the public
Learn more about the differences in data breaches based on region
Check out the biggest influences on the cost of data breaches
Dig Deeper on Information Security Incident Response-Information
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading