By Christopher Muhawe
Robert Mueller, former director of the Federal Bureau of Investigation, put it best when he said: “There are only two types of companies: those that have been hacked and those that will be.” Mueller’s statement is so true given the increased penetration and usage of internet in business.
I would like to stretch Mueller’s statement to the extent that: In the nearest future “like yesterday”, there are only two types of companies, individuals and government agencies: those that have been hacked and those that will be hacked.
More and more corporations especially in the West have disclosed that they have been a victim of a data security breach, often as a result of sophisticated hackers penetrating their computer systems. Billions of money have been lost directly, through claim settlements and compensations emanating from cyber breaches. The stolen data is usually information about individuals such as the company’s customers or employees as disclosed by these corporations.
Reports suggest that cyber breaches on Uganda are estimated to cost business and ministries over $50m which translates to sh180b annually. This is a callous amount to ignore given the social needs of Ugandans especially in the health and education sectors which are reported as under-funded.
It would not be shocking news that the figures above are an understatement in the Ugandan situation. This is especially true as the Ugandan legal regime does not charge corporations or agencies with a duty to disclose cyber breaches which position runs counter to good consumer protection practice in the cyber world.
The adhocracy approach to cyber security matters in Uganda will continue to hurt the country more than we can imagine both financially and in reputation. Purposed legal and administrative approaches should be explored urgently to make our cyber security systems more responsive & alive to modern trends. The first approach is by enacting a regulation demanding compulsory disclosure of all cyber breaches to a designated authority and all parties affected by the same.
A lack of cyber breach disclosure as a legal requirement translates to a fact that corporations will be complacent to invest in modern cyber security standards. A simple calculation will ultimately dictate that a robust cyber security system eats up a sizable profit margin which is a disincentive to corporations.
The argument here is that a legal requirement of cyber breach disclosure will definitely improve on the vigilance of corporations to invest in modern cyber security infrastructure regardless of the cost. A penalty and or fine should be set for non-disclosure of cyber breaches. A wake up call here is that the twenty first century business or any government agency security practice should not only concentrate on brick and mortar security, but also on the virtual world security practice. What is apparently at stake is not only in the real/physical world anymore, but in the virtual world as well. Therefore an investment in the virtual world security is not a waste of resources.
Several reasons can be mooted as to why cyber breaches and or cybercrime has a potential to become or has become rampant in the recent past.
The first reason among others is that it is easy to commit a data breach and go unnoticed as one can be anonymous using technology. This strong sense of presumed anonymity allows most hackers to conceal their paths. Secondly, the cyber world entails a computer network that spans the entire globe which makes it physically impossible to monitor this vast virtual world with criminals sometimes in foreign countries.
Why should there be disclosure of any cybersecurity breach? A simple reply is that any breach is likely to result in high risk to rights & freedoms of individuals most importantly the right to privacy and property. The property involved herein is personally identifiable information and ultimately financial loss may ensue.
Unauthorized destruction, alteration, loss, or access to personal data definitely puts individuals at risk. A Mobile Money wallet service provider or bank could be responsible for a data breach if a person’s record is inappropriately accessed due to lack of appropriate cybersecurity systems.
Modern cyber security practice requires that relevant authorities be notified and individuals whose rights are likely to be jeopardized have to be informed of any breach. Any unauthorized access to information which is likely to result into discrimination, damage to reputation, financial loss, loss of confidentiality or any other economic or social disadvantaged should be disclosed.
The conveyor effect of cyber breach disclosure is that corporations and government agencies will have tight timescales for reporting attempted and actual breaches on their systems. This way, all potential victims will engage in self-help approaches to forfend potential losses or even mitigate actual losses that flow from cyber breaches.
Writer is a lawyer/advocate