It all stems from a Sydney Morning Herald opinion piece written by the CEO of the Association of Data Driven Marketing and Advertising opposing the mandatory data breach reporting law introduced to the Australian Parliament by federal attorney general Mark Dreyfus.
It all stems from a Sydney Morning Herald opinion piece written by the CEO of the Association of Data Driven Marketing and Advertising opposing the mandatory data breach reporting law introduced to the Australian Parliament by federal attorney general Mark Dreyfus.
The CEO, Jodie Sangster, raised some eyebrows (and generated plenty of pro and con internet content) by referring to a mandatory data breach reporting law as “Luddite thinking” that would be “an innovation killer and the extra compliance red tape will strangle technology-related organizations throughout the economy.”
Sangster’s biggest problem with the legislation is a clear definition of “serious harm,” a term introduced by Dreyfus in his own previous opinion piece. In it, he writes that “(b)usinesses will not be unfairly burdened by the proposed laws because the notification requirement will apply only to serious data breaches that may cause harm to individuals.”
Here’s what Sangster believes is the end result of a law without a clear definition of “serious harm”:
… will likely cause organizations to adopt the most risk-averse internal policy setting. This, in turn, will lead to the over-reporting of relatively minor data errors, as compliance managers act to protect their organization from prosecution.
It will also tend to penalize those with the most sophisticated data management systems, since they are the ones more likely to pick up on data errors. Small to medium businesses will likely take a “see no evil, hear no evil” approach; they will put off investments in data-driven technology for fear it will come back to bite them.
…
The costs will fall relatively more heavily on smaller entities – the innovators of the Australian digital economy – who don’t have sufficient internal resources dedicated to compliance. They will find themselves spending more time managing the reporting process and less on managing the right outcome for customers.
Interesting points, for sure. But regardless of what an organization is required to do by law, many security experts would still suggest that it notify customers of any data breach itself before somebody else does.
Last month, we wrote a blog post entitled “Experts: Be fast and forthcoming with details of a data breach.” It excerpted a Dallas Morning News story, with these quotes from Javelin Security & Research senior analyst Al Pascual:
“Release clear, descriptive, and prompt notifications,” Javelin said. “Notifications that describe in detail how a breach occurred can bolster an organization’s claims that they have corrected the security vulnerability … restoring some degree of confidence among consumers.”
Shutting down about information is the worst thing a business can do in a data breach.
“To avoid having a breach event’s narrative hijacked by the media or by adversarial organizations, prompt disclosure is imperative,” Javelin said. “A loss of control can imperil an organization’s reputation, diminishing the trust of business partners, consumers, and shareholders.”
In the same post, we pointed out an article by Healthcare IT News associate editor Erin McCann has strikingly similar advice from Gerry Hinkley, a partner at the Pillsbury Winthrop Shaw Pittman law firm who spoke at a HIMSS Media and Healthcare IT News Privacy and Security Forum.
Hinkley’s message: “Don’t give in to individuals who want to sugar coat this. … You do much better really saying what happened up front.” He said proper breach response can help limit cost, avoid litigation and help retain the integrity of the organization.
Let the debate continue.