EU Commission and UK Cyber Security Strategy

While the UK cyber security strategy, published last week, is full of good stuff, it is lacking in one key area: compulsion. My view on this was quite widely reported last week: if UK organisations won’t take adequate action to protect personal data, under legislation that has been around since 1998, and won’t report breaches voluntarily to the Information Commissioner, then what on earth is going to cause them to share information about much more damaging cyber breaches?

The threat of a £500k fine hasn’t led to a dramatic increase in the number of UK organisations reporting data breaches, but nor has there been a dramatic decline in the number of successful hack attacks reported – initially, usually by the hackers, not by the hacked.

The European Commission appears to understand that organisations, public and private, are not pre-disposed to protect personal data. The proposed revisions to the European Data Protection Directive should, if enacted as currently drafted, bring substantial change – the threat of a fine equivalent to 5% of global revenue (applicable to EU entities, including EU subsidiaries of foreign companies) should bring a substantial change to data protection behaviour. Allied to a legal requirement to report breaches within 24 hours, this regulatory imperative may finally bring real protection to individual data.

Now, imagine how quickly UK organisations would get their cyber security houses in order if they were faced with a requirement to report all breaches within 24 hours and faced a very substantial fine – on top of the losses and other penalties they incurred. And imagine how quickly cyber security would find its way onto the corporate governance agenda and onto the list of issues about which shareholders are concerned.

It will be interesting to watch the progress of the EU directive and, alongside it, progress in implementing the UK’s current cyber security strategy. I hope there will be progress in both and fear that both may ultimately be ineffective – the EU law because the compulsion element is watered down, and the UK strategy because it is already quite watery.