Symantec helps govt on data breach laws
Symantec revealed at a media conference in Sydney last friday that it has been advising the Federal Government on data breach notification laws.
The laws, which are currently being considered by the Australian government and have been implemented in 46 US states, would require changes to the Privacy Act and would force any company found to have lost or distributed personal information to immediately notify those affected.
"We've been involved in this, providing advice and support, both from a technology and an experience point of view with other governments we've been participating with," said Craig Scroggie, Symantec vice president and managing director, Pacific region. Scroggie revealed that the company has been advising the Australian Law Reform Commission and the Office of Prime Minister and Cabinet.
Symantec CEO Enrique Salem said he felt disclosure laws would be soon implemented in the pacific region, telling attendees: "There are laws that are currently being worked on here in Australia and in New Zealand that will absolutely push the notion that if data is stolen, you have to say".
However, Salem strongly advocated for safe harbour provisions that would negate the need for notification in some cases, such as a laptop being stolen but the data on it not being compromised. "The reason we think a safe harbour is important is because you don't want to create panic. You don't want users to be alarmed if they have no reason to be," he said.
Currently 46 states within America have data breach disclosure laws in place, with Salem suggesting these will shortly be consolidated into one federal law. Countries including Spain, India, Italy, UK, France and Germany already have disclosure laws in place, with other nations such as Canada implementing guidelines for the dissemination of lost or distributed personal information. The extent of what constitutes 'personal information' however varies between countries, and in America between states, with standard conventions yet to be introduced.
Salem also said hackers were using increasingly personalised information to target individuals. This, he said, has led to a rise in signatures, with over 1.7 million signatures written by Symantec in 2008 — more than the total amount written in the previous seventeen years. "The likelihood of a response is significantly higher if it's personalised; and so that's what's forced us to have to write so many signatures. So what that means is the traditional methods of protecting our consumers and our business will not work anymore".
Salem claimed reputation-based security may be the answer, "It will be based on the reputation of the applications on your computer. Office or Adobe Acrobat will have a good reputation. A piece of malware that gets downloaded onto your computer, because it was recently created and only run by a few people, will have a low reputation and so it wont be run".
Salem denied suggestions that software with a 'good reputation' may be targeted by hackers, and that insufficient security systems within these programmes would make them more susceptible to malware.
"The reputation is based on 'is the programme malicious', not 'does it have vulnerabilities'. We're not trying to rate the security of the programme" Salem responded, "We're not recommending it; we're just saying it shouldn't attack ... It might attack you but then it would lower the reputation".
Salem said that certain viruses were platform independent, with web-based applications being targeted. "Its interesting because a lot of the data we care about is independent of the platform. It doesn't matter if you're on an iPhone, a Mac, a Linux box, you go on the internet, that's where you become vulnerable... I don't think there's any benefit to one over the other from a true security perspective."