BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Data Breach Reporting: A Job Killer or Business Saver?

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 4 Aug 2014 19:32:10 -0600
http://smartdatacollective.com/onlinetech/222011/data-breach-reporting-job-killer-or-business-saver

There’s quite a brouhaha bubbling up Down Under.

It all stems from a Sydney Morning Herald opinion piece written by the CEO
of the Association of Data Driven Marketing and Advertising opposing the
mandatory data breach reporting law introduced to the Australian Parliament
by federal attorney general Mark Dreyfus.

The CEO, Jodie Sangster, raised some eyebrows (and generated plenty of pro
and con internet content) by referring to a mandatory data breach reporting
law as “Luddite thinking” that would be “an innovation killer and the extra
compliance red tape will strangle technology-related organizations
throughout the economy.”

Sangster’s biggest problem with the legislation is a clear definition of
“serious harm,” a term introduced by Dreyfus in his own previous opinion
piece. In it, he writes that “(b)usinesses will not be unfairly burdened by
the proposed laws because the notification requirement will apply only to
serious data breaches that may cause harm to individuals.”

Here’s what Sangster believes is the end result of a law without a clear
definition of “serious harm”:

… will likely cause organizations to adopt the most risk-averse internal
policy setting. This, in turn, will lead to the over-reporting of
relatively minor data errors, as compliance managers act to protect their
organization from prosecution.

It will also tend to penalize those with the most sophisticated data
management systems, since they are the ones more likely to pick up on data
errors. Small to medium businesses will likely take a “see no evil, hear no
evil” approach; they will put off investments in data-driven technology for
fear it will come back to bite them.

…

The costs will fall relatively more heavily on smaller entities – the
innovators of the Australian digital economy – who don’t have sufficient
internal resources dedicated to compliance. They will find themselves
spending more time managing the reporting process and less on managing the
right outcome for customers.

Interesting points, for sure. But regardless of what an organization is
required to do by law, many security experts would still suggest that it
notify customers of any data breach itself before somebody else does.

Last month, we wrote a blog post entitled “Experts: Be fast and forthcoming
with details of a data breach.” It excerpted a Dallas Morning News story,
with these quotes from Javelin Security & Research senior analyst Al
Pascual:

“Release clear, descriptive, and prompt notifications,” Javelin said.
“Notifications that describe in detail how a breach occurred can bolster an
organization’s claims that they have corrected the security vulnerability …
restoring some degree of confidence among consumers.”

Shutting down about information is the worst thing a business can do in a
data breach.

“To avoid having a breach event’s narrative hijacked by the media or by
adversarial organizations, prompt disclosure is imperative,” Javelin said.
“A loss of control can imperil an organization’s reputation, diminishing
the trust of business partners, consumers, and shareholders.”

In the same post, we pointed out an article by Healthcare IT News associate
editor Erin McCann has strikingly similar advice from Gerry Hinkley, a
partner at the Pillsbury Winthrop Shaw Pittman law firm who spoke at a
HIMSS Media and Healthcare IT News Privacy and Security Forum.

Hinkley’s message: “Don’t give in to individuals who want to sugar coat
this. … You do much better really saying what happened up front.” He said
proper breach response can help limit cost, avoid litigation and help
retain the integrity of the organization.

Let the debate continue.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: