Data security breach notification laws coming?

August 17, 2007 at 11:35 pm 6 comments

In a post two days ago, I referred to the Report on Personal Internet Security from the House of Lords. One of its recommendations to the British Government was a data security breach notification law.

In fact, the Report states that such a law “would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency.”

The ripples of California’s 2002 law are also crossing the Pacific and reaching Down Under.

In Australia, a Gartner security analyst calls the law “inevitable”. With backing for the law from the Office of the Privacy Commissioner, that seems to be an accurate assessment. Details need to be worked through, such as “What constitutes a privacy breach? What constitutes a disclosure?”

What about New Zealand?

Computerworld reported that Privacy Commissioner Marie Shroff’s office was preparing recommendations for government that could force organisations subject to breaches of personal data to notify individuals affected by the breach. It goes on to say that she is studying what was happening overseas and that surveys conducted by her office had detected rising concern over the issue of data privacy and security. This pointed in the direction of recommending that “something needs to be done.”

Computerworld also reported earlier that in a snap poll at a recent Security Briefing in Auckland, “almost all the IT executives surveyed indicated they would support a data-breach disclosure law… Only a few indicated they were not sure whether they supported such a move, but none opposed such a law.”

It seems that a fear of not being in step with other countries is a major driver for introducing a notification law in Australia and New Zealand.

Am I in favour of such a law? Yes but not for the common reasons put forward.

Firstly, I think it is a good idea so that we can get visibility of the size of the problem. The IT executives quoted above are convinced that breaches are common but I’m still to be convinced that is the case in New Zealand. In any case, the law will cause organisations to reveal the real situation.

Secondly, organisations are almost universally loath to spend on good security unless pushed by an actual security breach (when it’s a bit late to do much good) or by regulations. A notification law may therefore help push them to give their customers the proper level of security personal information deserves.

Entry filed under: Aus, data_breach, fraud, government, identity, NZ, personal_info, privacy, report, security, strategy, trust, UK. Tags: .

Austrian ID system The gathering Storm

6 Comments Add your own

  • 1. stephen revill  |  August 21, 2007 at 3:30 pm

    The Canadian Internet and Public Interest Clinic released a white paper earlier this year arguing for the introduction of security breach notification rules by amendment to the Canadian “Personal Information Protection and Electronic Documents Act 2000(PIPEDA)”. PIPEDA is the Canadian equivalent to our Privacy Act 1993.

    The white paper may be found at

    http://www.cippic.ca/en/news/documents/BreachNotification_9jan07-web.pdf

    A more cautious approach to security breach notification laws is found in Michael Turner’s “Towards a Rational Personal Data Breach Notification Regime” published by the Information Policy Institute in June 2006.

    This paper is located at

    http://www.infopolicy.org/pdf/data-breach.pdf

    Stephen Revill

    Reply
  • 2. Vikram  |  August 21, 2007 at 9:11 pm

    Thanks for the links Stephen!

    Reply
  • […] as previously noted, it seems likely that data breach notification laws are coming. Organisations will be able to […]

    Reply
  • […] 27, 2007 The Privacy Commissioner has swiftly followed up on her “something needs to be done” regarding data breach notifications by launching draft voluntary guidelines for public […]

    Reply
  • […] September 5, 2007 In 2002 California mandated notification of data breaches involving personal information. The ripples of this step are still spreading across the world. […]

    Reply
  • 6. Idetrorce  |  December 16, 2007 at 10:54 am

    very interesting, but I don’t agree with you
    Idetrorce

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

  • I've written about the 3 areas that companies can find opportunities to get started with IoT kotahi.net/enterprise-iot… 11 hours ago
  • RT @KotahiNet: We think the newly available Bluetooth 5 offers excellent options to combine with LoRa for hybrid networks- low... https://t… 16 hours ago
  • Amazon Go (retail with 0 staff) will kill low end jobs like check out operators, packers. Gives coming jobs impact a stark, human-less face 1 day ago
  • Like it each time I come across it: “If privacy is outlawed, only outlaws will have privacy.” — Philip Zimmermann, creator of PGP 3 days ago
  • RT @ChristopherWr11: Scientists have long feared this 'feedback' to the climate system. Now they say it's happening wpo.st/L-pI2 1 week ago

Feeds


%d bloggers like this: