Breach notification stick needs to be balanced with carrot

Breach notification stick needs to be balanced with carrot

Summary: Although it supports changes to legislation that would require businesses to report data breach instances, Dimension Data's national security manager believes it needs to be more positive to be truly successful.


The concept of mandatory data breach notification legislation will be a good thing for IT businesses, according to Dimension Data national manager of security Jason Ha, but it needs to be implemented as a form of carrot, rather than stick.

Speaking to ZDNet, Ha drew a parallel with the information security industry as a whole, where the emphasis has been on how professionals fail, rather than where they silently succeed. He said that this results in no one wanting to stand out over fears of being cut down.

"Breach notification traditionally bears with it a very much stick-based orientation. For it to actually work, and convert into a benefit to organisations and to the ultimate protection of consumers, it needs to definitely have a more reward element to it, and the government needs to do more about encouraging and supporting a responsible and pragmatic approach to breach notification."

An example of this can be seen in the currently negative concern that many organisations might issue notifications without any real information.

Ha said that notifications like this create too much ambiguity, and lead people to form their own theories on what actually happened.

"If you look at RSA, for example, there was good period of people assuming what the worst case was when they got breached."

But a positive result of any breach notification legislation might actually see these ambiguous notifications disappear and consumer confidence boosted if businesses start thinking about the types of responses that they might have to prepare.

Ha said breach notification should be turned into a proactive tool, informing consumers upfront about the circumstances under which it will notify them.

"If your breach was about specifically consumer data ... you would have a specific type of response. If it was about internal staff information, or it was about information that related to a partner arrangement that you had with other suppliers or something like that, there would be a category or way that you would notify and consequently ask for response/assistance from that particular relationship."

Ha also addressed concerns over smaller businesses that slip under the AU$3 million revenue mark that would make them subject to the Privacy Act, and hence any data breach notification legislation.

With many small businesses moving to as-a-service offerings to keep their costs down, Ha said that the conversation between businesses and providers will become even more important, as they could potentially help businesses in the case of a breach.

"You're suddenly getting enhancements to security. You're getting stuff like breach notification capabilities or visibilities or incident response capabilities that you never really had trying to manage the equipment yourself."

Businesses shouldn't fall into the trap of thinking that they can shirk their notification responsibilities, though. Although they could come to an agreement with their provider as to how much security is provided, this will need to be carefully negotiated.

"The data ownership is still with the client. Whilst the provider can give them the visibility and the insight of potential incidents, managing the data itself is not the cloud provider's [role]."

Topics: Security, Government, Government AU

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • what, no, no carrots.

    No carrots needed; just the stick will do, and make sure the stick is big.
    There is no carrot big enough to encourage organisations to happily come public with data breaches that have resulted in their own incompetence and/or miss management.

    Yes, lets look at RSA for example. The only reason we can use this example is because of the mandatory breach notification laws as associated penalties in the US, not because RSA did it for the greater good. Almost all companies have knowledge of either migrated away from RSA to other 2 factor providers, or moved to a cheaper RSA soft token solutions (which is easier to deploy and revoke).
    That event could have killed RSA, and I foresee that Australian breach notification law will contribute to the death of many business in Australia - and rightly so. If your business relies on customer/private data but you cant keep that data secure, then you shouldn't be in business.

    Now, where's my stick...
  • Stick is fine

    My understanding in the UK, is that our ICO does not levy monetary penalties for the data breach itself, rather for folly, negligence, apathy, ignoring warnings etc etc etc. If a company has robust procedures and policies but is subject to an unprecedented incident the ICO would advise and consult to ensure this type of occurrence cannot happen in the future. If the company suffers a breach of a kind that is easily prevented then personally I don't think the stick is big enough!