Last week I posted a news item that Verizon was creating a web site where breaches could be reported anonymously. U.K. lawyer Stewart Room raises an interesting concern about using the site:
This is a fascinating concept, but from a legal perspective it is potentially fraught with difficulty for those organisations whose employees decide to take advantage of the service; if the organisation by its workers decides that it is ok to report incidents, albeit anonymously, to a third party, then it can attract close scrutiny about its breach reporting procedures in a general and specific sense, perhaps attracting the charge that it should be reporting to regulators too; ultimately, there are learning and mitigation purposes that are served in reporting to both recipients; the difficult question that will need to be thought through is “why is anonymous reporting ok, when open reporting is not?” Imagine a line of cross examination in a court environment that could be faced by the IT worker who unilaterally went down the route of reporting to a third when their organisation decided to keep quite (sic)…
Read more on Stewart Room.