Cyber crime is serious and tackling it requires far more than a hotline. That is what Monique van Dijken Eeuwijk, senior associate at NautaDutilh, and André Mikkers, Forensic Services partner at PwC, argued last Friday on the opinion page of Dutch daily newspaper Trouw. They wrote their article as a follow-up to the Cyber Crime Conference organised by PwC and VU University Amsterdam last September at which they both spoke.
The need to plug data leaks and to increase data protection is growing. After all, the number of reported incidents involving mainly the theft, copying, destruction or manipulation of personal – and therefore valuable – digital data by cyber criminals is rocketing. In the article, Monique van Dijken Eeuwijk and Andre Mikkers argue that introducing a reporting obligation is insufficient to increase data protection. 'Such a measure is meaningful only if businesses and institutions know that they have been compromised digitally, and the majority do not have the in-house knowledge and expertise to detect digital forced entry, let alone to track it down and report it.’ Is the introduction of a reporting obligation therefore a bad idea? ‘No, it is a good incentive to ensure that personal data is properly protected. But the reporting obligation must not be an end in itself. Without supplementary measures to help increase the digital resilience of organisations and individuals, it will be no more than an incident criterion.’
In addition to the reporting obligation, Monique van Dijken Eeuwijk and André Mikkers are arguing for the development of national initiatives to increase knowledge of data leaks. 'Invest in the training of more digi experts and offer incentives in sectors where digital defence is weakest. Develop standards for anti-cyber-crime facilities and control processes with which organisations must at least comply, and consider the introduction of an accountability obligation for organisations with a public interest.' Because, as Monique and André conclude in their article, 'we will not have the full benefit of a reporting obligation until the cyber security infrastructure is effective.'