ALRC - Data Breach Notification Recommendation……Flawed Approach?
Unless I’ve missed something and it’s certainly not in section “51. Data Breach Notification” of this 2600 plus page Australian Law Reform Commission document, we’re still lacking some fundamental basics to any data breach notification law being successful.
As it currently sits and is proposed, the organisations that stand to be impacted the most are the ones that probably have the better Information Security and Privacy policies in place.
In basic terms, if you’ve got good practices and controls in place, you’re more likely to detect a breach and/or disclosure of private and confidential information. Thus, you will have to openly disclose. No need to drill down into the potential business and reputational implications to the organisation.
If your practices and controls around information protection are weak, you’re probably clueless as to whether a breach has occured so what you don’t know doesn’t get reported. Practice the 3 monkeys approach to Information Security and proposed data breach disclosure laws will have little impact upon you.
These laws will never be succesful without supporting legislation/regulation around basic and minimum security practices and controls. See previous post on this topic:
Regulation does not need to be considered bad. See discussion on regulation here.
We can debate whether high-level statements of requirements in the Privacy Act will cut it, but in my opinion, they won’t……they haven’t so far, so what would change things now?
August 14th, 2008 at 5:04 pm
ORM wins… Fatality! Game Over.
How to incentivise visibility, surveillance and auditability?
August 14th, 2008 at 8:23 pm
Yes, ORM is still the most successful and most applied Risk Management strategy in the world:
http://beastorbuddha.com/2008/02/16/ostrich-risk-management-the-most-successful-it-risk-management-program-in-it/
We have been slack in getting the certification program up and running but we expect it will be ready by the end of 2008!