Mandatory Data Breach Notification

With the discussion again starting about Australia’s position on Mandatory Data Breach Disclosure (http://bit.ly/1avVg7H), we presented the following to the government in 2012 when RFC was opened in regards to this potential legislation. What are your thoughts?

—————————————————-

The following are our [Securus Global] thoughts on Mandatory Data Breach Notification, in response to the Discussion Paper: Australian Privacy Breach Notification (Oct, 2012).

Organisations most likely to be affected by the introduction of such laws also tend to already have better information security and privacy policies in place.

Where we are coming from: If you have good practices and controls in place, you’re probably also more likely to detect a breach and would, under these new laws, have to openly disclose. (Fair enough).

On the flipside, if a business’s practices and controls around information protection are weak, they’re more than likely clueless about whether a breach has occurred or not, so what you don’t know can’t get reported. (Not right).

Unfortunately, under this proposed structure as documented in the current discussion paper, a better, more secure company, who knows what is happening in their IT environment, is in more danger of being negatively impacted than a less conscientious company. (ie; When assessing the potential reputational and brand damage associated with a public disclosure).

The introduction of such legislation as documented at the moment could have the opposite effect to what it’s trying to do. (ie; companies realise that without a level playing field, their less secure competition can plead ignorance to understanding whether a breach has occurred, so why continue the expense involved with strong oversight and governance and technical controls around logging and monitoring when, reputationally, it would make better business sense to “dumb-down” and minimise the risk of being put into a position of public breach disclosure).

These laws, in our opinion will never be successful without supporting legislation/regulation around basic and minimum security practices and controls. The playing field, so to speak, should be even.

There should be no way that a company whose security practices are better than another company’s can be worse off in the event of a data breach incident.

We hope this is of help and happy to discuss at anytime. The business we are in is close to this field and we’ve been talking about this subject now since about 2004 with our clients and the Information Security industry in general.

Further:
http://www.cso.com.au/blog/cso-bloggers/2012/03/07/data-breach-disclosure-laws-whos-going-feel-pain/#closeme
http://beastorbuddha.com/2007/08/14/more-on-disclosure-laws-in-australia/index.html
http://beastorbuddha.com/2008/08/13/alrc-data-breach-notification-recommendationflawed-approach/index.html
“Risk Management Magazine”, September, 2008 article, pg.14

3 thoughts on “Mandatory Data Breach Notification

  1. Further to this submission, we also suggest consideration be given to wrapping a lot of this up into Company/Director Disclosure Laws as defined in the Corporations Act. Eventually at a listed company level, surely the two should merge?!

  2. Totally agree. We definately need to make directors and executives accountable, especially within Government organisations.

  3. wondering though whether you’re allowed to act dumb, because if you are holding customer information you have to take steps to protect it’s privacy, so you gotta have something in place anyway? what do you think?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s