The case for mandatory breach disclosure is building with an increasing number of large, high profile breaches, particularly in the US where 2014 saw Target USA, JP Morgan Chase, eBay, Home Depot and Sony Pictures as the most prominent examples. The proposed US Personal Data Notification and Protection Act, among other developments, has seen the drums beating louder for a Federal mandatory breach disclosure law in the US, unifying and simplifying the multitude of state based laws.
In Australia, the mandatory breach disclosure bill is being debated in the Senate and the Office of the Australian Information Commissioner Timothy Pilgrim has been one of its key proponents particularly given the now expected adoption of the mandatory data retention scheme for telecommunications companies. Just last month the Joint Parliamentary Committee on Intelligence & Security (JPCIS) had recommended a mandatory breach disclosure law be adopted before the end of the year – 2015.
So will a mandatory breach disclosure law be effective in both protecting consumer data and encouraging organisations to reduce the risk of a data breach? Let’s look at the key issues for mandatory breach disclosure;
- Say you are a user who has entrusted your data to a third party, be it insurance, financial services, marketing organisation etc. Would you want to know if your information was compromised? Most users would answer in the affirmative. At least then you could take some steps to mitigate your exposure. Not only cancelling credit cards but increasing wariness in terms of phishing campaigns or hiring a 3rd party organisation to monitor your credit rating etc.
- Mandatory breach disclosure laws in the European Union have improved security awareness in the EU (ENISA study – http://www.enisa.europa.eu/act/it/eid)
- Media coverage of compromises have led organisations to a more mature approach to cybersecurity. The two most often raised benefits are organisations adopting security best practices and being pressured by both the public and regulatory bodies to appropriately fund and staff their security programs. Security awareness of the general public is also heightened which helps frame the risk in a broader context.
- Organisations who have been entrusted with user or third party data including personal identifiable information and credit card data take cybersecurity more seriously when they are legally compelled to disclosure breaches. It’s not ideal but regulation and compliance drives security spend in most organisations. While we’d like to think that organisations would fund and staff their security programs as best practice, the financial ramifications of fines or brand damage is a more compelling case for senior executives and the board of directors in corporations.
- Senior executives and Board Directors are more engaged in cybersecurity when there are risks of fines or brand damage/loss of reputation. In 2014 Lani Refiti and Dr Sally Ernst conducted research involving over one hundred board directors that was presented to the 2014 AISA National Conference. One key theme was board directors often felt cybersecurity was a technology issue best handled by their CIO’s. When mandatory breach disclosure was raised in the interviews conducted, there was a feeling that cybersecurity would become more strategic and something they would need to engage more closely. Cybersecurity would move from a technology to a business issue.
If we look at global trends in cybersecurity regulation, mandatory breach disclosure is a logical step and brings Australia into line with most comparable countries. While a complex construct to turn into regulation, we as a security industry should not be reluctant to support and encourage the public discourse. There is a healthy tension in the exchange of ideas and differences of opinions across industry and the broader public. The debate around the effectiveness of mandatory breach disclosure should be encouraged because through the exploration of the differing opinions we will see improved outcomes.