CA exec urges Asia to strengthen data-breach laws

Jerry Cox, CA's director of security sales for the Asia-Pacific region, including Japan, said in an interview that "strong laws would force a company to disclose security breaches often involving the loss of customer data."

This, Cox explained, would protect the people whose data was compromised. Strong data-breach laws will also ensure companies take data security more seriously, especially if there are penalties in the form of monetary fines, or risks of reputation damage due to public disclosure.

According to Cox, Japan and Korea are ahead of most parts of Southern Asia in establishing such laws.

"In Japan, companies pay for security breaches in the form of an 'apology fine,' sometimes per user-account affected, which can amount to millions of dollars," he said, adding, however, that data security in most of Southern Asia is not yet at the level of that deployed in Japan.

Cox said California's strict data-breach law is an example of legislation "driving good security practices." California's law--SB 1386--requires businesses to disclose data-security breaches to residents if their unencrypted personal information is compromised. Other states in the U.S. have since introduced similar laws, and the U.K. is moving in that direction.

Data-breach penalties in Asia are often disproportionately mild compared to the severity and consequences of the breach, Cox said. "In Singapore, spammers can be fined. But you've got half the population online, so it's a bigger crime than it seems, and the penalties should be more severe."

Cox added: "In the United States, the penalty for spamming is jail."

One long-term measure to protect data, Cox suggested, would be to educate people about sound security practices and require them to apply them diligently.

Cox also highlighted the importance of establishing a good security foundation before implementing "higher level" security measures such as identity management.

Explaining what constitutes a foundation of "sound" network security, Cox said that putting up firewalls and antivirus protection, as well as building policies around user permissions, should be established before implementing ID management.

Companies that do not have a good foundation for network security risk the failure of automated security processes such as ID management. Compared to their western counterparts, more companies in Asia are taking this riskier path, Cox warned, noting that a wide range of security technologies are nonetheless readily available in the region.

"While the United States went with the evolution of security tools, companies in Asia have a lot to choose from, even if their organizations are not ready," said Cox. Unlike many Asian companies, those in the U.S. "grew" their security installations and practices by applying more-sophisticated tools as they became available, he said.

He added that enterprise security policies may not be as developed in Asia, and estimates companies in this region to be "five to seven" years behind their U.S. counterparts, despite having access to the latest technology.

Victoria Ho of ZDNet Asia reported from Singapore.