​Breach notification legislation: Friend or foe?

As 2015 draws to a close, the government's data breach notification scheme has still not been mandated. This legislation will compel organisations to notify people when their privacy is potentially compromised by a data breach.

Although the Parliamentary Joint Committee on Intelligence and Security's (PJCIS) data retention inquiry recommended the introduction of a mandatory data breach notification scheme by the end of 2015, we still wait patiently for the scheme to be delivered.

So does this delay mean we, as Australian consumers and citizens, are sitting ducks? Privacy advocates are ringing alarm bells declaring that the lack of legislation means that when data retention goes bad, no one is required to tell you.

To be clear, the right behaviour is to disclose, every time

We saw this recently with Kmart. The retailer endured a customer hack in September and notified the Office of the Australian Information Commissioner (OAIC) of the breach and conducted an immediate investigation.

The OAIC was encouraged by Kmart's voluntary, proactive response stating that they are seeing more and more organisations also reporting their data breaches voluntarily. Such high-profile attacks and breaches keep cyber security and online privacy a huge focus on governance for good electronic corporate citizenship.

Regulations are always sensitive and polarising in the corporate world. No one wants more cost and complexity for having to follow yet another regulation. Breach notification will require new processes and controls, comprehensive understanding of risk and expert personnel.

But the critical point here is that this is needed anyway, with or without a government regulation. If the government doesn’t demand better disclosure policies for breaches, consumers will do soon enough.

Requiring breach notification establishes a level playing field that makes it clear to companies: if you have a breach, get ready to talk about it. It also will help reduce the bayonetting of the wounded when breaches occur. Breaches are inevitable, but data theft is not. There is much that can be done after an attacker gets inside a network to prevent them from leaving with valuable information.

Today, the majority of network security spend is focused on the early stages of an attack, and the late stages of an attack. What’s missing is a solid understanding of the middle, what happens after a threat gets in, but before they get out.

It’s time to pay attention to security and make sure that prevention, containment and post-event ethical process and management are top priorities at the C-level and with corporate boards.

I would go so far as to say that one of the first principles of any regulation should be to make clear that it is not only arrogant, but also unethical to determine risk for someone else and to deprive them of the opportunity to make their own risk decisions, no matter how obvious a corporate board room might think the choices are for victims.

A data breach notification law, taken in isolation of other digital and communications requirements, sets the right tone for what to do and what not to do.

In many situations, the conversation isn’t about the right thing to do for the victims (i.e. the end users or businesses whose data is lost) but is instead about the right thing to do for the breached company (e.g. how to avoid legal exposure, bad press, and other risks to the bottom line). That approach has to end.

It’s also important to establish that the specific moment a breach occurs isn’t always simple to understand.

There’s a popular perspective that it’s easy to know if and when a breach has occurred, but this isn’t like looking in a bank vault and seeing that the money is missing. It isn’t always clear, and it often requires forensic work and proving negatives.

Post-breach notification and best practices can be a competitive differentiator

That makes it important to also stress that investigations have to happen promptly, that documented and effective policies exist on identifying an incident, and that investigators and executives don’t drag their heels to avoid having to notify at the time of the breach.

A well-written breach-notification law will make it clear that the risk decisions to be made at the top of an affected company are not just about the risk to those that have the privilege of holding data.

The time to worry about a breached company’s risk is beforehand in building a cyber-security program and contingencies. Once an incident happens, the needs of the victims become the biggest priority.

Believe it or not, post-breach notification and best practices can be a competitive differentiator. In short, having to disclose is not the end of the world for businesses, and can become something of a check in their favour when done correctly.

A rule like this will make it crystal clear that non-disclosure isn’t an option. It will enable us all to focus on making sure that inevitable infrastructure breaches don’t mean data breaches or, when they do, that they are containable. We can also focus on the right areas to improve best practices, work on prevention, invest in new technologies and plan to minimise damage from attacks and frustrate the attackers who commit them.

Most compelling of all, it will enable an approach that always puts the real victims in the centre and guides the right behaviours from the outset. Having data isn’t a right for corporations; it’s a privilege and one that must always be treated as such, before, during and after breaches.

Nick Race is ANZ country manager at Arbor Networks.