lolloj - Fotolia
How would a cyberattack information database affect companies?
A proposed cyberattack information database in the U.K. aims to improve cyberinsurance. Expert Mike Chapple explains what collecting data breach information means for U.S. companies.
In the U.K., an insurance industry organization called for the government to establish a database where companies would have to "record details of cyberattacks." The purpose, according to the organization, would be to give companies offering cyberinsurance policies more data to assess premiums. But won't keeping a database of enterprises' cyberattack information be a violation of the laws and regulations protecting this type of data? How would such a cyberattack information database affect companies that are in both the U.K. and the U.S.?
Current data breach notification laws in many jurisdictions require organizations to disclose to the government and individuals when their information is compromised during a cyberattack. The recent proposal from the director general of the Association of British Insurers (ABI), Huw Evans, would go beyond this common standard and make it mandatory for companies to record detailed cyberattack information in a database created by the U.K. government.
The ABI is proposing this initiative to collect better cyberattack information so that insurers can improve their assessment of risk and their pricing for cyberinsurance. To counter fears of reputational damage to companies that disclose breaches, the ABI suggests anonymizing the data and limiting the use of the cyberattack database to insurers. On the other hand, the ABI wants a wider range of industries than just those providing essential services to provide detailed cyberattack information.
It remains to be seen if the ABI's proposal gets any further, and if so, the extent and type of details that companies would have to supply. U.S. companies are familiar with the data breach notification requirements contained within state and federal laws and industry regulations. By the time the ABI proposal reaches any enforceable state, it may resemble those laws. The biggest variable here will be the level of detailed cyberattack information required to comply with the requirement.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)