Will data breach notification laws be good for partners?
- 17 November, 2016 11:15
The first breach notification laws in Australian history were recently tabled in Federal Parliament, with many in the cyber security industry praising the legislation and its potential in business.
Yet despite the positivity, others are not so convinced.
From a channel perspective, partners may be thinking that bringing into law the two pieces of proposed legislation - mandatory data breach notification and serious data breach notification - will result in a huge payday for the cyber security industry, but many in the industry agree that the proposed laws are just a start.
RSA chief cyber security advisor APJ, Leonard Kleinman, was formally cyber security advisor to the Australian Tax Office.
In his new role, Kleinman will work with government and RSA partners on cyber security posture and the changing threat landscape.
Kleinman said that on initial inspection, the mandatory data breach notification bill looks like it's all about the cyber security but upon reading between the lines, it's also about trying to incentivise and encourage organisations to improve overall posture from a business perspective, and thus is playing the long game in that respect.
“I am encouraged by it," he said. "I think that you need to keep progressing, putting one foot in front of the other and you will eventually get somewhere."
Following the release, RSA general manager of Australia and New Zealand, Antoine Le Tard, attempted to put the legislation into a broader context of organisational readiness.
"It's the larger, more sophisticated organisations that are implementing strategies to make them more secure,” he said. “By them doing that they are also encouraging their supply chain to do the same.”
“It becomes a factor of if you are not compliant with certain policies and procedures, then you are no longer part of the supply chain in that organisation.
"We see that rising tides raise all ships and there is a responsibility on large enterprises and federal government agencies to do the same with the rest of the industry."
While the argument Le Tard put forward may address the concerns of some partners working with large enterprise and the smaller organisations that serve them, other questions have been raised as to whether the legislation as a whole is in fact in the public interest.
Mandiant director of threat intelligence and consulting, Tim Wellsmore, has an extensive career in government having worked with the Australian Crime Commission since 2003.
Wellsmore said he was not sure that the public and industry had enough clarity around what the legislation was trying to achieve.
"Are we trying to put in breach disclosure legislation to protect the privacy of individuals?" he asked.
"And if so, [the legislation] doesn’t reach all of the requirements to do that. From my reading of it, small to medium enterprises are not included.
"I don’t think we have a clear success goal here. If we are here to try and protect the privacy of individuals then if any individual data has been leaked, people need to know about it, and yet we have all those exemptions.
“If the breach disclosure legislation is more about understanding the size and scope of the threat, that information does not get shared with the cyber security centre. So if it's all about protecting privacy then there are too many exemptions."
If passed in its current form, Wellsmore said the practical impact of the bill would mean the public would be relying on business to make the assessment whether there is a real risk of serious harm.
“If you were a big corporation and you thought that disclosing information on a data breach would take up a lot of bandwidth and require a lot of effort, perhaps you would then deem it to be less serious than it could be,” he explained.
“Who makes the assessment as to what constitutes serious harm and that would be the individual? A lot of individuals may not be concerned if phone numbers and emails are leaked but they may also be an individual which has very grave concerns about their data being leaked.
“A small to medium enterprise or a large global corporation may all be equally able to loose data out there on to the darknet but only the big ones have been brought in under this legislation would be able to report it.
“If I run a business and I have a breach which I believe is in the public interest and I report it to the privacy commissioner, no one else hears about it.
“If the business community believes they will begin to get feeds in their emails about what breaches have occurred, I think they are very much mistaken. It is going to be a silent success if it is ever a success because I don’t think the privacy commissioner will be sharing this information anywhere.
While concerned about the particulars of the bill, Wellsmore said that once the legislation has passed parliament, it can begin to be shaped to make it more effective.
Wellsmore added that this may in fact be the best approach at this time as it puts some legal requirements on Australian businesses now which can be strengthened in the future.
“A clearer definition of what success would look like is important. There is no measure of success in this thing and that is what makes me concerned.”