With the discussion again starting about Australia’s position on Mandatory Data Breach Disclosure (http://bit.ly/1avVg7H), we presented the following to the government in 2012 when RFC was opened in regards to this potential legislation. What are your thoughts?
The following are our [Securus Global] thoughts on Mandatory Data Breach Notification, in response to the Discussion Paper: Australian Privacy Breach Notification (Oct, 2012).
Organisations most likely to be affected by the introduction of such laws also tend to already have better information security and privacy policies in place.
Where we are coming from: If you have good practices and controls in place, you’re probably also more likely to detect a breach and would, under these new laws, have to openly disclose. (Fair enough).
On the flipside, if a business’s practices and controls around information protection are weak, they’re more than likely clueless about whether a breach has occurred or not, so what you don’t know can’t get reported. (Not right).
Unfortunately, under this proposed structure as documented in the current discussion paper, a better, more secure company, who knows what is happening in their IT environment, is in more danger of being negatively impacted than a less conscientious company. (ie; When assessing the potential reputational and brand damage associated with a public disclosure).
The introduction of such legislation as documented at the moment could have the opposite effect to what it’s trying to do. (ie; companies realise that without a level playing field, their less secure competition can plead ignorance to understanding whether a breach has occurred, so why continue the expense involved with strong oversight and governance and technical controls around logging and monitoring when, reputationally, it would make better business sense to “dumb-down” and minimise the risk of being put into a position of public breach disclosure).
These laws, in our opinion will never be successful without supporting legislation/regulation around basic and minimum security practices and controls. The playing field, so to speak, should be even.
There should be no way that a company whose security practices are better than another company’s can be worse off in the event of a data breach incident.
We hope this is of help and happy to discuss at anytime. The business we are in is close to this field and we’ve been talking about this subject now since about 2004 with our clients and the Information Security industry in general.
“Risk Management Magazine”, September, 2008 article, pg.14