Published on May 30th, 2019 📆 | 1701 Views ⚑0
Why businesses don’t report cybercrimes to law enforcement
Companies are often compelled to report security incidents such as data breaches to regulators. Companies in the UK, for example, will be legally obligated under GDPR to inform the Information Commissioner’s Office (ICO) if they suffer a breach involving personal information of customers or employees. Similar obligations exist under the likes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the U.S. or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada.
However, no such compulsion exists when it comes to reporting cybercrime to law enforcement, leading to agencies in both the UK and the U.S. warning of a massive gap estimated to be in the millions between the number of actual incidents and reported cyber crimes. Those unreported incidents make it harder to justify allocating resources to cybercrime units, which in turn limits agencies’ abilities to take down cybercriminals.
Why don’t businesses report cybercrimes, and are the reasons behind their reluctance justified?
Businesses are underreporting cybercrimes
Law enforcement agencies worldwide are rarely ever sure how many cybercrimes are being committed. In the UK, the gap between the Office of National Statistics’ annual crime survey and the number of crimes reported to Action Fraud, the UK’s national fraud and cybercrime reporting center, has been in the millions over recent years. A 2016 report by Barclays and the Institute of Directors found only 28% of cyberattacks against businesses in the UK were reported to the police.