Data Breach Disclosure Laws – Who’s Going to Feel the Pain?

Drazen Drazic

Drazen Drazic is the managing director of Securus Global, a leading Information Security consulting organisation specialising in application and network security, penetration testing and product testing for international security vendors. He is engaged as a consultant across most industry sectors on Information Security policy and strategy. In earlier times, he has headed up Information Security for a global investment bank and Big-Four professional services firm, been a regional IT director and has spent years promoting and talking about information security. Twitter: @ddrazic

It seems to be an on-going complaint from many in our industry that data breach disclosure laws are a must have if businesses are ever going to take security seriously. In Australia, this has been talked about for a long time and I cringe every time I hear it, let me clarify why. (I borrow some of the following from my own blog posts.)

Organisations most likely to be affected by the introduction of such laws also tend to already have better information security and privacy policies in place. If you have good practices and controls in place, you’re probably also more likely to detect a breach and would, under these new laws, have to openly disclose. (I’ll leave you to consider the potential business and reputational implications to the organisation when this happens).

If your business’s practices and controls around information protection are weak, you’re probably clueless about whether a breach has occurred or not, so what you don’t know can’t get reported. The three monkeys approach to Information Security—see nothing, hear nothing speak nothing—and the proposed disclosure laws will have little impact upon you.

Unfortunately, under this structure a better, more secure company is in more danger of being negatively impacted than a less conscientious company! Now is that really what we want? Of course not! Blanket statements espousing the benefits of such legislation are naïve. The introduction of such legislation could have the opposite effect to what it’s trying to do!

These laws will never be successful without supporting legislation/regulation around basic and minimum security practices and controls. See a previous post on this topic.

Regulation does not need to be considered bad. See this discussion of regulation in an interview I did with David Rice (Author of Geekonomics: The Real Cost of Insecure Software) a few years back.

We can debate whether high-level statements of requirements in the Privacy Act cut it, but in my opinion, they don’t, and they haven’t so far, so what would change things now?

Of course, it is all a moot point if someone hacks you and does your Data Breach Disclosure for you, and as we’ve seen in recent years, it’s becoming quite popular.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: breach, laws, disclosure

Show Comments