Michael Bocchieri/Getty Images
show image

GDPR could prompt cover-ups, security pros warn

The EU’s incoming General Data Protection Regulation (GDPR) could prompt firms to cover up data breaches, according to a survey of more than 900 security professionals.

Companies must report a breach to their data watchdog within 72 hours of becoming aware of it, under GDPR. But it’s a deadline 43 per cent of respondents fear their firms couldn’t meet.

In addition, half of those surveyed said the 72 hour rule would do more harm than good, potentially discouraging companies from disclosing a leak.

Javvad Malik, a security advocate at AlienVault, which conducted the research, said the rule and consequent fines would be particularly challenging for less established firms.

“The potential of having to pay up to 4 per cent of global turnover [in fines] could have a serious effect on a fledgling business potentially impacting earnings or funding opportunities,” he said. “They could also lose customers through reputational damage and even have to consider making redundancies.

“It’s easy to see why some might consider trying to cover up a data breach, rather than deal with the consequences.”

While organisations are liable to fines when they report breaches to their data watchdog, the highest penalties will be reserved for the most severe offences.

The Information Commissioner is unlikely to look favourably upon a cover-up when it comes to determining the size of a fine.

In Malik’s words, cover-ups “could lead to far greater problems […] in the long term”.

According to the Ponemon Institute’s latest report for IBM, it takes firms on average 191 days to identify a data breach and a further 66 days to contain it.