Move quickly on mandatory data breach disclosure laws
Over the last year I have had the great privilege of participating in a number of government forums across Australia and New Zealand to discuss the changes in the security threat landscape.
I've had a broad range of discussions with a number of government executives on topics as common as spam and malware, as complex as Stuxnet and hacktivism and as challenging as privacy and data breaches.
Whether it's a briefing with government CIOs or customers or presentations to analysts, journalists and industry experts, there is always a recurring theme. That common thread is the overwhelming concern in businesses and government agencies about how they can better protect their information and minimise the risk of data loss.
This is a challenge faced by governments around the world as well as large and small businesses, but in New Zealand it's often the government agencies that have the most interest in understanding what legislative parameters need to be put in place to ensure information is secure.
For most of us, this is not a surprising concern. One of the most pressing security issues on the legislative agenda at the moment relates to mandatory data breach disclosure. The prevalence of data breaches is growing, as illustrated by a number of high-profile cases over recent months.
Household brands, local brands and even the most loved brands have been targeted by attackers, with customer information including names, email addresses and even credit card information being leaked. This type of information is typically used by hackers for financial gain - enabling them to exploit financial data as well as launching personalised attacks on consumers whose data has been compromised.
Protecting our organisations and consumers isn't getting any easier, and financially motivated crimes are continuing to grow. But times are changing. We are also witnessing the emergence of politically motivated hacktivism. Groups such as Anonymous, Lulz Security and AntiSec are using hacking and malware to damage organisations they don't agree with. These groups claim they are not after notoriety for publicity's sake - they are protesting about the lack of privacy in society.
In addition, the proliferation of mobile devices, the movement to the cloud and rise of social networking have all compounded the problem of protecting information. While each of these offer tremendous opportunities, together they create the perfect storm for governments faced with the responsibility of protecting our nation's most critical data.
The sheer volume of data breaches - whether financially or politically motivated - together with the rise of mobility, social networking and cloud computing all add weight to the New Zealand Law Commission's calls for a mandatory system of data breach notification. It is encouraging that these recommendations are supported by the Office of the Privacy Commissioner. However, the time has come to stop talking about data breach legislation and start implementing it.
While organisations are currently advised to report data breaches to the Office of the Privacy Commissioner, there is no obligation for them to do so.
Because of insufficient data breach laws, many incidents still go unreported or are not reported in a prompt manner, leaving people oblivious to the fact that their personal information has been compromised. Also, the lack of a mandatory disclosure law means that there is less incentive for organisations to strengthen their security postures to prevent data leaks from occurring.
For organisations storing customer data, it's clear that threats are coming from every direction and public tolerance for these types of breaches is waning quickly. Considering New Zealand's world class e-health system, we need to be doing everything we can to protect the private information of our citizens.
Other nations around the world are starting to take action in an effort to reduce malicious attacks and protect information.
The US has led the way in terms of introducing laws that promote data loss prevention as well as ensuring that all impacted consumers are informed. Mandatory data breach notification laws are in place in 46 US states.
In the UK, the government has also taken a stronger stance on data breach, recently increasing the corporate fine for a serious data breach from £5,000 to £500,000.
Symantec has made recommendations in New Zealand based on our experience in Australia. Our view is that we have made good progress on the privacy front but there is still much to be done. The Australian government has responded to 197 of the 295 recommendations stemming from the Australian Law Reform Commission's privacy law review and is in the process of deciding whether to implement mandatory data breach notification laws and other provisions that would, for instance, give the Australian Privacy Commissioner powers to fine companies for breaches.
Symantec supports these recommendations and believes they will go some way to protecting people's information and identities.
With the incidence and severity of data breaches increasing across the country, Symantec's view is that New Zealand should fast-track the New Zealand Law Commission's recommendations through Parliament to ensure the protection of confidential information held by businesses and government organisations.
Rather than focusing on the aftermath of a data breach, data security law should minimise the likelihood of a breach by mandating that businesses take reasonable security measures to ensure the integrity of sensitive personal information. The government should consider including incentives for companies to protect data, such as an exemption for entities that adopt reasonable data security measures or best practices, like encryption.
And lastly encourage heightened enforcement - through increased penalties - against entities that fail to use reasonable security measures to protect peoples' data.
However while legislation plays a role, it's no panacea. Industry and whole of government collaboration is extremely important. Education and technology are also equally important and as such, the onus of responsibility for neutralising this problem should not just rest on the government's shoulders, but on industry as well which should play a vital role in helping to establish processes, improve technology and promote education.
By taking precautions against the loss of data, governments can significantly bolster their defences against attacks and instil confidence and trust into the online world.
Introducing mandatory data breach notification laws will be a giant leap forward on the New Zealand privacy front, and the faster it happens, the better. I will be watching developments closely over the coming year.
Craig Scroggie is Symantec's Vice President and Managing Director for the Pacific Region
You must be logged in in order to post comments. Log In