It's campaign time on data-breach disclosure

New Zealand has privacy laws, but they are weak on this issue

First up, you may notice a change in this week’s Computerworld. What do you mean you haven’t? Take another look. Run your paws over the silky new paper stock we are using. Cool, huh?

There have also been a few subtle design changes, all part of our drive to better service our readers’ information needs.

Moving right along, one of the most interesting outcomes of Computerworld’s Security Briefing, held in Auckland recently, was the result of a snap poll we conducted on data-breach disclosure.

Attendees at the event were almost unanimous in their support for the idea that New Zealand should have data-breach disclosure laws requiring organisations to inform individuals when their personal information has been compromised.

Most indicated they supported the concept while a few said they were unsure. But nobody was outrightly opposed to the idea.

Now, these people were generally from IT and more specifically they were people with information security responsibilities. I suspect if you performed a similar survey of other executives you would get a different result — and probably a lot more “don’t knows”.

That’s because the issue in New Zealand is subterranean. It’s not on the agenda at all. But it should be.

Right now, data-breach laws are being considered across America, in Canada, in the EU and elsewhere. We have privacy laws, but they are weak on this issue.

California law SB 1386, passed in 2002, is the model in this area. It has forced organisations to, firstly, take data security a lot more seriously and, secondly, develop detailed incident response plans to manage any data breach. And there’s nothing at all wrong with that.

Two days after the Computerworld event I was on a panel at a forum organised by Auckland-based information security consultancy Security-assessment.com discussing the same issue. Once again, there was a high level of agreement that data-breach disclosure was the right thing to do. I tried, briefly, to argue the opposite, but my heart wasn’t in it.

What’s interesting for me is how I went from a position of relative neutrality on the issue to being strongly in favour in just a few days.

It’s hard to argue against such a law. Organisations have an obligation to protect personal and sensitive data. When that data is compromised, or potentially compromised, individuals may need to take certain actions to protect themselves. They can’t do that unless they are made aware of the fact their data has been accessed.

In contrast, the arguments I’ve heard against disclosure seem relatively weak and self-serving. Having to notify the public about an information security breach will not be a pleasant thing to do. It will be embarrassing for the organisation involved. But it is the right thing to do.

If a data-breach disclosure law is introduced in New Zealand, I think it should be structured so that organisations doing the right thing and fessing up promptly are rewarded. The act of disclosing, and disclosing promptly, should carry some serious brownie-points in terms of protection from liability, especially if the rest of the organisation’s IT security meets some kind of acceptable practice standard.

Anyway, I’d be interested to hear your view on this. Drop me a line — my email address is rob_oneill@computerworld.co.nz.

Join the newsletter!

Error: Please check your email address.

Tags Security IDdata breach disclosure law

Show Comments

Market Place

[]