To Disclose or Not to Disclose
If your organisation suffers a cyber attack should you disclose this to the world at large?
Most organisations would prefer not to disclose such information for fear of damage to their reputation. The answer really depends on the nature of the attack and the impact it has had.
Service providers are legally required to notify the Information Commissioner’s Office (ICO) if a ‘personal data breach’ occurs. A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.”
If a personal data breach occurs the organisation affected must also notify their customers if the breach is likely to adversely affect customers’ privacy, and keep a breach log.
For more information on this please visit the ICO website: https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/security-breaches/
Where a personal breach has not occurred it’s up to the organisation whether to disclose or not. If the attack may threaten the security of third parties it would be wise to notify them. Forewarned is forearmed and it’s easier to manage the message before a problem occurs rather than afterwards.