CIO Jury: Come clean on security breaches, organisations urged

IT bosses have backed calls for businesses to be forced to notify customers if their customers' personal details have been compromised by a security breach.

This follows a huge security breach cover-up at an unnamed UK retailer which was exposed after silicon.com revealed that thousands of MasterCard and Visa cardholders have quietly had their cards cancelled and reissued without any explanation about the theft.

The refusal by MasterCard and Visa to name the online retailer has angered some of those affected. They are demanding to know how their card details were exposed and are now calling for a disclosure law similar to the Security Breach Information Act in California that forces organisations to tell customers based in that US state if there has been a security breach.

This call for greater transparency over security incidents in the UK has now been overwhelmingly backed by 11 of silicon.com's 12-man CIO Jury IT user panel who said businesses should be forced by law to notify customers who may have had their personal details compromised by a breach.

Ian Auger, IT director at ITN, said: "I think any reputable company would want to do so and I would like to think that people who were affected would be understanding as long as the affected company could show that they had taken good precautions to protect the data."

Some said that a law forcing disclosure would quickly focus the minds in boardrooms and help push IT security up the corporate agenda.

Mark Saysell, IT director at Coutts Retail Communications UK, said: "Companies need to be completely transparent with their client base. As a consumer I'd want to know if my personal details had been compromised and as an IT director I think any direct law or mandate requirements regarding security or data protection will only enhance the quality of IT services in the UK."

Phil Young, head of IT operations at Amtrak Express Parcels, warned against the cover-up approach. He said: "I am sure that the damage caused by a cover-up is more severe for a company's reputation than telling the customer that there has been a problem and what the company is doing about stopping the same thing happening again."

The right of the consumer should take precedence in any security breach, according to Andy Pepper, director of business information systems at Tetley.

He said: "It ought to be a consumer's right to know which companies have suffered such breaches and then decide for themselves whether they should give them their business."

Public sector bodies should also be forced to disclose the details of any security breach, according to Richard Steel, head of ICT at the London Borough of Newham.

He said: "This extends to the public sector, some parts of which hold highly sensitive data. Not to let individuals know that the security of information about them had possibly been compromised would be unethical and irresponsible."

But Kevin Fitzpatrick, CTO at Manpower, expressed caution before introducing any legislation.

He said: "Rushed legislation is bad legislation. Time needs to be taken to craft something that doesn't become too onerous but adds real value. There is a danger of overreaction that causes companies, in fear of litigation, to inform customers of even very minor, contained risks."

Ian Auger, IT director, ITN
Alastair Behenna, CIO, Harvey Nash
Michael Elliot, IT director, Hasbro
Kevin Fitzpatrick, CTO, Manpower
Steve Fountain, IT director, Markel International
Luke Mellors, IT director, the Dorchester Hotel
Andy Pepper, director of business information systems, Tetley
Mark Saysell, IT director, Coutts Retail Communications UK
Richard Steel, head of ICT, London Borough of Newham
David Supple, head of IT and creative services, Ecotec
Phil Young, head of IT operations, Amtrak Express Parcels

If you are a CIO, IT director or equivalent at a large or small company in the private or public sector and you want to be part of silicon.com's CIO Jury pool, or you know an IT chief who should be, then drop us a line at editorial@silicon.com