IT security executives have given a resounding thumbs-up to the introduction of data-breach disclosure laws in New Zealand.
In a snap poll conducted at last week’s Computerworld Security Briefing, held in Auckland, almost all the IT executives surveyed indicated they would support a data-breach disclosure law, requiring organisations to notify affected customers when a breach occurred. Only a few indicated they were not sure whether they supported such a move, but none opposed such a law.
The result comes as Auckland-based consultancy Security-assessment.com launched an Auckland-Wellington roadshow to drive debate around the issue.
At the Auckland event last week, solicitor Michael Wigley said identity theft had become a big problem and predicted that if the European Union introduced data-breach disclosure legislation, New Zealand would follow.
“Any board not protecting its IP and brand is negligent,” he said, adding that there is no end of justification in law for legal action against companies in the event of a breach.
“Boards know they should protect their IP and brands but don’t do as much as they should,” he said.
Wigley described most of the “accepted use” policies he had seen as “shit”.
“They don’t work and that’s a strong indicator that all things are not well,” he said.
Peter Benson, chief executive of Security.assessment.com, says most security people “get it”, but most businesses don’t.
He says information security is wrongly seen as an IT issue, rather than a risk and compliance issue that should be managed from the top.
“Law creates accountability,” he says.
Benson says legislation lags technology by three to five years, because technology changes so quickly and is used in unexpected ways.
Wigley says to make a disclosure law part of the Privacy Act would be difficult as the latter is “principle-based” while a disclosure law would have to be quite specific. He says growing adoption of such laws across the US could be a product of the country having weak privacy legislation.
But, he says, the Office of the Privacy Commissioner here adopts a low-key stance compared with its counterpart in Australia, where privacy requirements are more stringently enforced.
Industry figure and ICT-NZ co-chairman Chip Dawson suggested there could be ways to encourage businesses to build security into their organisations.
Benson responded that security is essentially a “cost of doing business” and there is no business case associated with it. However, companies are breaching their ethical responsibilities by not taking security seriously. He added that the insurance industry is starting to provide some incentives through reduced premiums if corporate security standards are high.
Wigley said security is never perfect and some companies could be provided with incentives by means of escaping liability for breaches if their security met best-practice standards. He said the issue was complex but “do-able”.