Tuesday, 4 June 2013

Mandatory Data Breach Notification

The Australian Government has just announced that mandatory data breach notification laws will commence in March 2014.  This is an excellent start, and the Government is to be congratulated on the initiative.  I'm not normally one to promote more "cyber" legislation to cover new implementations of old crimes, but this really is a new type of crime for which no existing legislation adequately applies.

We've had identity theft for as long as we've had scammers, but in the pre-Internet world this was done one at a time, and required local knowledge and a lot of effort.  But now it can be done wholesale, from anywhere, to anyone, for nearly no cost.  And this is happening every day.

So how will mandatory data breach notification help?  It won't make us any more successful in prosecuting the attackers, so it won't reduce the number of attacks.  It has nothing to do with helping the people who are the subject of identity theft, so it won't reduce the impact of the crime.
Today the only sensible approach to take for any company that has a data spill is to cover it up.  There is no possible positive outcome from telling anyone, and a significant likely negative outcome in terms of reputation damage, share price reduction and loss of market confidence.  So this just looks like more victim blaming.

The real point is to make businesses care about security.  If they know that they will be named and shamed, they are more likely to take the necessary steps to not be breached, and therefore reduce the number of actual breaches, and so reduce the impact on the Australian people.  Raising the cost to the attackers is a win for everyone.

Better security is an investment in the future, not a cost to be minimised.

Phil Kernick Chief Technology Officer
@philkernick www.cqr.com