Asia needs stronger data breach laws

Tougher laws will force companies to take data security seriously, says security expert from CA, who cites California's law as a good example to follow.
Written by Victoria Ho, Contributor

Governments in Asia need stronger data breach laws to ensure businesses improve the security of their customer data, according to a senior CA executive.

Jerry Cox, CA's director of security sales for the Asia-Pacific region, including Japan, said in an interview: "Strong laws would force a company to disclose security breaches often involving the loss of customer data."

This, Cox explained, would protect the people whose data was compromised. Strong data breach laws will also ensure companies take data security more seriously, especially if there are penalties in the form of monetary fines, or risks of reputation damage due to public disclosure.

According to Cox, Japan and Korea are ahead of most parts of Southern Asia in establishing such laws.

"In Japan, companies pay for security breaches in the form of an 'apology fine', sometimes per user account affected, which can amount to millions of dollars," he said. "Unfortunately, most of Southern Asia is not at [the] level [of Japan] yet."

Cox said California is an example where strict data breach laws are "driving good security practices". California's law--SB 1386--requires businesses to disclose data security breaches to residents if their unencrypted personal information is compromised. Other U.S. states have since introduced similar laws, and the United Kingdom is also moving in that direction.

Noting that the penalties in Asia are often disproportionately-low to the crime committed, Cox said: "In Singapore, spammers can be fined. But you've got half the population online, so it's a bigger crime than it seems, and the penalties should be more severe.

"In the United States, the penalty for spamming is jail," he added.

On what would be a long-term measure to protect data, Cox suggested educating people to be more careful and aware of "sound security practices".

Cox also highlighted the importance of establishing a good security foundation before implementing "higher level" security measures such as identity (ID) management.

Explaining what constitutes a foundation of "sound" network security, Cox said that putting up firewalls and antivirus protection, as well as building policies around user permissions, should be established before implementing ID management.

Companies that do not have a good foundation risk failure of automated security processes such as ID management. Compared to their western counterparts, more companies in the region are going down this path, Cox warned, noting how easily available such technologies are in Asia.

"While the United States went with the evolution of security tools, companies in Asia have a lot to choose from, even if their organizations are not ready," said Cox. Unlike many Asian companies, those in the United States "grew" their security implementations with the sophistication of the tools available over time, he said.

He added that enterprise security policies may not be as developed in Asia, and estimates companies in this region to be "five to seven" years behind their U.S. counterparts, despite having access to the latest technology.

Editorial standards