An official from the National Crime Agency (NCA) has said that customers should be informed when a data breach takes place.
Andrew Archibald, deputy director of the NCA’s cybercrime unit, told a security summit in Westminster that as a consumer he would expect to be informed when a hacker successfully compromised a company’s systems.
"My view as a law enforcement official is that a customer should expect to be informed about that," he said. "I would want to know that I’ve been breached and what measures I can take to be secure."
However the law enforcer recognised that his view could pose a challenge to business in terms of reputational damage and its share price after a big attack.
"We’ve seen some high profile cases such as Target and Sony and others, and that will have an impact," he added. "There’s something in that which we in law enforcement have to recognise."
Sony shares on the New York Stock Exchange took a hit in early December following weeks of poor publicity in relation to an attack on its movie division, which led to the leaking a number of embarrassing internal emails and employee data. Prices have since recovered.
Balancing his earlier comments, Archibald argued that it as "unreasonable" for companies to share breach information with a customer until they have fully established what had happened, and that companies sharing information with their rivals on breaches was "really important".
Yet one point he was not sure on was the obligation of companies to inform customers of problems unrelated to the breach they were investigating.
"If you as a company or organisation are breached then in the course of your investigation established one of your customers’ computers were infected, do you think you now have a responsibility to let them know and investigate?" he asked. "I think that’s an interesting question."
