Breach notification stick needs to be balanced with carrot

Although it supports changes to legislation that would require businesses to report data breach instances, Dimension Data's national security manager believes it needs to be more positive to be truly successful.

The concept of mandatory data breach notification legislation will be a good thing for IT businesses, according to Dimension Data national manager of security Jason Ha, but it needs to be implemented as a form of carrot, rather than stick.

Speaking to ZDNet, Ha drew a parallel with the information security industry as a whole, where the emphasis has been on how professionals fail, rather than where they silently succeed. He said that this results in no one wanting to stand out over fears of being cut down.

"Breach notification traditionally bears with it a very much stick-based orientation. For it to actually work, and convert into a benefit to organisations and to the ultimate protection of consumers, it needs to definitely have a more reward element to it, and the government needs to do more about encouraging and supporting a responsible and pragmatic approach to breach notification."

An example of this can be seen in the currently negative concern that many organisations might issue notifications without any real information.

Ha said that notifications like this create too much ambiguity, and lead people to form their own theories on what actually happened.

"If you look at RSA, for example, there was good period of people assuming what the worst case was when they got breached."

But a positive result of any breach notification legislation might actually see these ambiguous notifications disappear and consumer confidence boosted if businesses start thinking about the types of responses that they might have to prepare.

Ha said breach notification should be turned into a proactive tool, informing consumers upfront about the circumstances under which it will notify them.

"If your breach was about specifically consumer data ... you would have a specific type of response. If it was about internal staff information, or it was about information that related to a partner arrangement that you had with other suppliers or something like that, there would be a category or way that you would notify and consequently ask for response/assistance from that particular relationship."

Ha also addressed concerns over smaller businesses that slip under the AU$3 million revenue mark that would make them subject to the Privacy Act, and hence any data breach notification legislation.

With many small businesses moving to as-a-service offerings to keep their costs down, Ha said that the conversation between businesses and providers will become even more important, as they could potentially help businesses in the case of a breach.

"You're suddenly getting enhancements to security. You're getting stuff like breach notification capabilities or visibilities or incident response capabilities that you never really had trying to manage the equipment yourself."

Businesses shouldn't fall into the trap of thinking that they can shirk their notification responsibilities, though. Although they could come to an agreement with their provider as to how much security is provided, this will need to be carefully negotiated.

"The data ownership is still with the client. Whilst the provider can give them the visibility and the insight of potential incidents, managing the data itself is not the cloud provider's [role]."