If your security foundations are sound, businesses should not be worried about potential mandatory data breach-notification legislation, according to NetIQ Identity, Security & Governance business manager Ian Yip.
Recent submissions in response to the discussion paper by the Attorney-General's Department for mandatory privacy/data breach-notification have stated that many organisations would.
Parties such as the Law Council of Australia worry that the consequences of existing amendments to the Privacy Act, which are now set to come into effect in March next year, are yet to be fully seen, and that launching into the debate now could be premature.
But when speaking to ZDNet, Yip said that this is merely an excuse not to spend any money on security, given that businesses should already be prepared.
"No matter what the decision is on what the Privacy Commissioner decides to do, how the cloud market moves, what mobility means in two years, if the foundational security is there, then you're a lot more agile as a company or organisation to be able to react to whatever the trend happens to be at the time."
He said that businesses should not be given the benefit of being able to say it wasn't mandated, or that they were waiting for changes to happen.
He also said that there needs to be better language about any data breach-notification legislation. While the Privacy Act is principles based at the moment, Yip said that any new legislation specific to breach notification could benefit from a combination of principles and prescriptive language.
Yip suggested that a more prescriptive scheme would help define what actually constitutes a breach, and the necessary actions that should consequently be taken. However, he warned that principles-based values are needed to ensure that the new laws don't simply become yet another checklist.
He said the principles are necessary to ensure that organisations really know why they should care about their customers' privacy.
"If you delve down straight into 'here's a bunch of things I need to do', without knowing why you're doing it, that doesn't really work. It's finding the right balance."
He also said that who should be examined when it comes to a data breach would be different to who is traditionally covered under the Privacy Act.
For example, the Privacy Act does not apply to companies that have an annual turnover of AU$3 million or less. Yet, small startups could harvest thousands of records containing personally identifiable information as part of its operations, whether it has a successful revenue model or not.
"Just because your company isn't big enough does not exclude you from being under the same rules and regulations that everybody else would be under, just because you can't pay the fine."