Data security breach notification laws coming?
In a post two days ago, I referred to the Report on Personal Internet Security from the House of Lords. One of its recommendations to the British Government was a data security breach notification law.
In fact, the Report states that such a law “would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency.”
The ripples of California’s 2002 law are also crossing the Pacific and reaching Down Under.
In Australia, a Gartner security analyst calls the law “inevitable”. With backing for the law from the Office of the Privacy Commissioner, that seems to be an accurate assessment. Details need to be worked through, such as “What constitutes a privacy breach? What constitutes a disclosure?”
What about New Zealand?
Computerworld reported that Privacy Commissioner Marie Shroff’s office was preparing recommendations for government that could force organisations subject to breaches of personal data to notify individuals affected by the breach. It goes on to say that she is studying what was happening overseas and that surveys conducted by her office had detected rising concern over the issue of data privacy and security. This pointed in the direction of recommending that “something needs to be done.”
Computerworld also reported earlier that in a snap poll at a recent Security Briefing in Auckland, “almost all the IT executives surveyed indicated they would support a data-breach disclosure law… Only a few indicated they were not sure whether they supported such a move, but none opposed such a law.”
It seems that a fear of not being in step with other countries is a major driver for introducing a notification law in Australia and New Zealand.
Am I in favour of such a law? Yes but not for the common reasons put forward.
Firstly, I think it is a good idea so that we can get visibility of the size of the problem. The IT executives quoted above are convinced that breaches are common but I’m still to be convinced that is the case in New Zealand. In any case, the law will cause organisations to reveal the real situation.
Secondly, organisations are almost universally loath to spend on good security unless pushed by an actual security breach (when it’s a bit late to do much good) or by regulations. A notification law may therefore help push them to give their customers the proper level of security personal information deserves.