Security Compromises Notification forms published


Although we have already notified the Information Regulator of security compromises our clients have suffered using our own template, the Information Regulator has released form SCN1 which should now be used to report security compromises to the Information Regulator. There is also a guideline on how to use the form. 

While the use of a standard form is a step forward as collecting the multitude of security compromises is a mammoth task - especially with cybercrime increasing exponentially - it is unfortunate that the reporting method appears to be in hard copy (to the Information Regulator's offices) or by means of email. 

There are a couple of reasons why this is unfortunate: 

1) Information received by email, even in a fillable PDF form, is considered to be 'unstructured' information and normally requires a person to capture the information into a database (unless that is simply not done at all). 

2) Information sent by email is not secure - you have just had a security compromise and the notification of the security compromise could be your next security compromise! 

3) The pure volume of security compromises will quickly make this system unsustainable. The information Regulator should follow the example of the GDPR countries (such as in Holland) where the reporting of security breaches is automated so that their DPA (Data Processing Authority) can focus on the most important security compromises. 

Hopefully the Information Regulator will be able to upgrade their systems before the volume of security compromises becomes unmanageable.