Symantec has been advising the Australian government on forthcoming data breach notification laws, laws that the company's CEO Enrique Salem predicts will be passed in both New Zealand and Australia in the near future.
The US-style laws require that customers be notified when a business has lost or compromised data linked to them. And that means many more data breaches become public, almost certainly damaging the reputation of companies affected.
Salem, speaking at a Sydney media conference, said the company had been working with the Australian Law Reform Commission and the Office of the Prime Minister and Cabinet on the first and second tranches of the proposed changes to Privacy act and the proposed introduction of data breach notification laws. Symantec later said they had not had similar contact with New Zealand authorities.
“Business here in Australia I predict will face these new disclosure laws I’ve seen these adopted around the world where when you lose data, there is a breach, then you have to notify the individuals,” he said.
“There are laws that are currently being worked on in Australia and New Zealand that will absolutely push the notion that if data is stolen, you have to say. Government has been working on [the laws]. We are advising the government on them, giving a point of view around what they should consider as part of the legislation.”
Last March, New Zealand's Privacy Commissioner Marie Shroff indicated mandated disclosure was likely.
“I believe that there is a good case to require agencies by law to notify customers where a security breach puts those customers at risk,” Shroff said.
She said voluntary guidelines introduced last year were "not inconsistent" with such a move and would provide useful experience of disclosure.
“Both the Australian and Canadian Privacy Commissioners have called upon their governments to enact breach notification laws,” Shroff says. “The Australian Law Reform Commission has studied the question and proposed that this be done in Australia. I believe there is now enough experience to suggest that breach notification laws are a useful adjunct to comprehensive information privacy law," she said.
“I encourage the Law Commission in its current privacy review to give special consideration to the usefulness and possible approach of a New Zealand breach notification law.”
Salem said that Symantec was pushing for the Australian laws to include a safe harbour clause to minimise the need for disclosure on data which had not been compromised.
“What we are working towards in the US, and in Australia and New Zealand, is that disclosure are important, but we want to make sure there are some safe harbours,” he said. “If you can prove that a laptop that was stolen had some data on it, but that it hasn’t been compromised, then you shouldn’t have to disclose that, as we don’t think there is any risk.
“These laws will absolutely happen here and in New Zealand and they are already in the US. There they will expand from 46 different laws to one federal one, and in Europe the same thing. The public absolutely has a right to know, and the government will get pressure to enforce these kinds of laws.”
In October the Australian Federal Government released its response to Privacy Act recommendations. Notably, however, the first stage does not deal with the sensitive issue of serious data breach notifications and the proposal to remove some exemptions.
Symantec intends to "extend its leadership" through R&D and acquisitions, Salem says, citing recent buyouts of filtering company MessageLabs and online backup firm SwaprDrive.
The company, which has an Auckland-based R&D centre developing its Ghost disk cloning software, spends US$150 million a year on R&D, he says. Ghost was originally developed by Kiwi Murray Haszard, of Binary Research, in 1995. Symantec bought the technology in 1998.
Salem says Symantec will continue this distributed approach to research and development as the company needs to "look to where it can find talent".