It seems to be an on-going complaint from many in our industry that data breach disclosure laws are a must have if businesses are ever going to take security seriously. In Australia, this has been talked about for a long time and I cringe every time I hear it, let me clarify why. (I borrow some of the following from my own blog posts.)
Organisations most likely to be affected by the introduction of such laws also tend to already have better information security and privacy policies in place. If you have good practices and controls in place, you’re probably also more likely to detect a breach and would, under these new laws, have to openly disclose. (I’ll leave you to consider the potential business and reputational implications to the organisation when this happens).
If your business’s practices and controls around information protection are weak, you’re probably clueless about whether a breach has occurred or not, so what you don’t know can’t get reported. The three monkeys approach to Information Security—see nothing, hear nothing speak nothing—and the proposed disclosure laws will have little impact upon you.
Unfortunately, under this structure a better, more secure company is in more danger of being negatively impacted than a less conscientious company! Now is that really what we want? Of course not! Blanket statements espousing the benefits of such legislation are naïve. The introduction of such legislation could have the opposite effect to what it’s trying to do!
These laws will never be successful without supporting legislation/regulation around basic and minimum security practices and controls. See a previous post on this topic.
Regulation does not need to be considered bad. See this discussion of regulation in an interview I did with David Rice (Author of Geekonomics: The Real Cost of Insecure Software) a few years back.
We can debate whether high-level statements of requirements in the Privacy Act cut it, but in my opinion, they don’t, and they haven’t so far, so what would change things now?
Of course, it is all a moot point if someone hacks you and does your Data Breach Disclosure for you, and as we’ve seen in recent years, it’s becoming quite popular.