The European Parliament, on July 6, 2016, adopted the Directive on Security of Network and Information Systems. The NIS Directive, as it is known, will usher in a new era of EU-wide cooperation and national capacity building to effectively respond to cyber-attacks ‘becoming bigger, more frequent, and more complex’. It also mandates EU member states to implement mandatory cybersecurity incident reporting requirements for e-commerce platforms, payment gateways, social networks, search engines, application stores, cloud computing services, in addition to entities operating in critical sectors including energy, transport, banking, health and finance. In other words, if an entity is the subject of a cyber-attack or data breach where sensitive customer information is compromised, they will have to report the same to a regulator.
With this move comes yet another affirmation of the role that transparency and timely breach disclosures can play in mitigating the costs of attacks, developing threat intelligence, and ensuring that cybersecurity best practices are adopted in the long run. Under the regime proposed by the NIS Directive, national regulators may elect to disclose breach details to affected individuals where such disclosure is deemed to be in public interest after considering reputational and commercial damage to breached entities. Though only to a limited extent under the NIS Directive, the requirement that cybersecurity incidents and data breaches be notified to end-users is slowly catching on as jurisdictions including South Korea, Taiwan, Ireland, Uruguay in addition to 47 US States, in many cases, require breaches to be reported to affected individuals while others, such as Sweden, empower the respective national regulator to order notification to affected individuals where required. Australia is among others currently in the process of legislating on the issue.
And with an estimated 600 million user passwords entering the public domain from breaches in the last month alone at household names including LinkedIn, Myspace and Tumblr, such reforms cannot come any sooner. It is an inherent right of affected consumers to be notified if their sensitive information has been the subject of a leak or successful breach. If not stemming from a mere moral obligation to disclose breaches, very real practical justifications exist – in order to enable affected individuals to take steps to mitigate risks of fraud and identity theft. The need for data breach notification assumes further importance as consumers are not often fully aware of the kinds of sensitive information collected in the first place by online services and mobile applications. Often, the first consumers come to know of breaches is when their credit card numbers, passwords, or biometric records are offered for sale on the digital black market, or in the worst case, where their compromised accounts are misused.
The Indian cybersecurity framework has also seen recent movement with the RBI, in June 2016, issuing a clear mandate for banks to immediately implement internal cybersecurity frameworks. These directions also include an explicit requirement for banks to report ‘all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify)’ to the RBI. Similar requirements exist for stock markets, commodity exchanges, and other market infrastructure entities to notify SEBI, while there is also a general requirement for cyber-security incidents affecting Indian individuals and organisations to be reported to the Indian Computer Emergency Response Team (CERT-In) under the Information Technology Act framework.
Despite this plurality, there exist no provisions which may require breached entities to notify affected end-users – arguably, the most critical stakeholders – that their sensitive information has been compromised. In fact, in some cases (such as under the IT Act), law achieves the opposite – ensuring that incident notifications made to regulators remain highly confidential. This approach reflects an outmoded view of cybersecurity which considers breaches and other incidents best-addressed outside the public sphere – in secret.
Failure to notify consumers of data breaches disables them from exercising their right to choose to continue with a breached service provider, and from pursuing appropriate legal remedies against negligent providers. The lack of incentive to disclose incidents and unclear liability norms have also meant that Indian entities that have been breached have not begun offering credit monitoring or other recompense to affected consumers.
In the absence of breach notification requirements, there is no incentive for businesses to upgrade cyber-security practices as the risk of public embarrassment is minimised to a large degree. Mandating public data breach notification will encourage businesses to implement security best-practices while enabling consumers to protect themselves in the wake of their sensitive information being breached.