If your organisation has trouble finding a measurable return on investment for its cybersecurity spend, then mandatory data breach notification will give you one, says Chris Pogue, chief information security officer at Nuix.
Australia's new data breach notification laws are expected to come into force some time in 2018. In the US, 47 of the 50 states have had equivalent laws for several years. Pogue appears as an expert witness in data breach cases. He predicts that Australia will experience a similar sequence of events.
First, there'll be a wave of "new" data breaches.
"You're going to see this arbitrary bubble, because everybody has to report, and there's the propensity to say the sky is falling, Australia is under massive cyber attack, and you're really not," Pogue told journalists in Sydney on Thursday.
"It's not any different than it was the year before. You're just compelled to report that now."
After that, when all these data breaches become public knowledge, the lawyers get involved.
"Once we get into post-breach litigation, then the finger-pointing starts, because that's how lawyers get paid. And the defence starts, because that's how lawyers get paid. And you'll see this mature, robust post-breach litigation area spring up," Pogue said.
One legal issue will be whether the organisation that suffered the data breach was taking "reasonable" steps to secure the data.
The recent Nuix Black Report showed that penetration testers' biggest frustration was that organisations didn't fix things they knew were broken. If a vulnerability uncovered by pentest wasn't fixed, and later it was used to commit the data breach, "your defensible position of reasonableness is not going to be very good. So that'll be bad," Pogue said.
The US has also seen a new pattern of pentesting. Penetration testers, including Nuix, are being hired by outside legal counsel, not by the companies themselves. If the pentest report goes to the lawyers, rather than to the client, then it's protected by client-lawyer privilege. Opposing counsel are then likely to get only a heavily-redacted version of the report, unless a judge forces the company to hand it over.
Under the Australian legislation, there are the legal questions of when a data breach is "likely" to result in "serious harm" to the affected individuals, or when unauthorised access to, or disclosure of, information is "likely" to occur.
The new provisions of the Privacy Act do suggest various factors that the courts should take into account.
What kind of information is involved? How sensitive is that information? Was the information protected by "one or more security measures" such as being encrypted? How likely is it that these measures could be overcome? What kind of people have obtained or could obtain the information? What kind of harm could this data breach cause?
As in the US, Australia can expect to see some important test cases to establish the meaning of all this.
And finally, there's the question of how the breach notices sent to individuals are to be worded, and whether they provide sufficient information.
All this will start to put some hard numbers against what until now have been nothing more than guesstimates of the return on investment for cybersecurity spending.
"We can talk about protracted litigation. We can talk about sunk cost, in terms of what it means to pay your lawyers, what it means to pay the salaries of your security professionals. If you don't take advantage of that, then you are intentionally walking away from that ROI," Pogue said.
There's also intangibles, such as loss of customer confidence, loss of market share, and loss of brand reputation.
And for cybesecurity professionals who can tell good stories to a non-technical audience, there's money to be made as an expert witness. Let the good times roll.