Why businesses don’t report cybercrimes to law enforcement
Law enforcement agencies estimate the number of cybercrimes that go unreported by businesses number in the millions. Here why and when you should report breaches and other cyber attacks.
Companies are often compelled to report security incidents such as data breaches to regulators. Companies in the UK, for example, will be legally obligated under GDPR to inform the Information Commissioner’s Office (ICO) if they suffer a breach involving personal information of customers or employees. Similar obligations exist under the likes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the U.S. or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
[ How much does a cyber attack really cost? Take a look at the numbers.. | Get the latest from CSO by signing up for our newsletters. ]
However, no such compulsion exists when it comes to reporting cybercrime to law enforcement, leading to agencies in both the UK and the U.S. warning of a massive gap estimated to be in the millions between the number of actual incidents and reported cyber crimes. Those unreported incidents make it harder to justify allocating resources to cybercrime units, which in turn limits agencies’ abilities to take down cybercriminals.
Why don’t businesses report cybercrimes, and are the reasons behind their reluctance justified?