April 30th, 2007 Drazen Drazic
An article from Peter Benson, Security-Assessment.com on Disclosure Laws.
————————————
So when do you disclose a breach? From what we have seen in Australia and New Zealand, generally only when you are forced into it. The notion of disclosure is starting to raise its profile around Australasia, as a result of breaches occurring, and a general lack of public disclosure being undertaken.
The unfortunate aspect of this, is that within our region, there is nothing to force companies to disclose, and as a result, a number of companies are not taking their information security seriously.
Companies are either burying their heads in the sand, or using obscurity as the weapon whereby they resist letting the public and their customers know of bad stuff happening. Often times, as a lack of this accountability and good corporate citizenship, information security is still being seen as an “IT issue”, or alternatively, something to be avoided. In a number of cases that we are aware of, organizations haven’t even been aware that they have been breached, until such time as “weird things happen”, or it otherwise gets into the public arena.
Lets be real about this; while there are emerging standards such as the Payment Card Industry and banking regulations that bring in mandatory compliance in some organizations, the reality is that it is simply just good and responsible practice to at least let your customers know that you have had a breach, and that their information may have been impacted!. What is better…. covering up a breach and having the media find out about it first (then catch up with media controls), or to demonstrate an ethical responsibility to customers where their information has been put at risk? The old school notions of “not telling anyone” just dosen’t cut it any more, and is likely to result in a higher impact over time if issues become disclosed by third parties.
So lets look at bringing back a level of responsibility and accountability to the customer. If we don’t, it is likely that disclosure laws will be enforced sooner rather than later, which will force the issue, and potentially have a much higher impact than if we take a proactive stance on this.
Lets make no mistake, accountability is there, and while there are some courses of action available to enforce accountability around protection of information, the reality is that these will largely be superceded in the not too distant future through disclosure laws. Protection for customers interests and privacy is something that a lot of us have not really addressed seriously as yet, and we still give lip service to this as an “IT issue”. It is not; it is the ethical and responsible protection of our customer’ (and implicitly our shareholders) in behaving in ways that are socially and ethically responsible. To say that this doesn’t exist, or is not a risk, is simply untrue, and we will see changes coming in the near future. Watch this space!
——————————————–
Peter was recently quoted in Computerworld on this topic. He will be presenting on this topic in New Zealand and possibly Australia. Watch this space also.
Peter raises a good comment about organisations not even knowing if they have been breached. We see this all the time as I have noted in a few entries; Botnets, Zero Days, Tell me I’m not owned. How will this play out when disclosure laws come out? 3 monkey approach? I hope not!
Posted in Uncategorized | 5 Comments »
