New privacy laws have created an uneven playing field, an IT expert says. Photo: Phil Carrick
Australia's new privacy breach notification laws could create an uneven security playing field, where companies "dumb down" their monitoring capabilities to protect their reputations, a security expert has claimed.
The new mandatory data breach notification bill, introduced by federal Attorney-General Mark Dreyfus, was debated in the Senate last week. It requires organisations to notify the Privacy Commissioner and affected consumers when a data breach occurs. Fines could be imposed on organisations and individuals.
If approved, the law could be enforced by March 2014.
However, consulting firm Securus Global chief executive Drazen Drazic believes the legislation will have little effect where it is most needed – on poorly protected firms who do not properly monitor their systems for attacks.
Drazic told IT Pro the government had approached the issue the wrong way around. It should have legislated minimum standards of security in order to establish a level playing field.
"The idea of a base level equal playing field throws a spanner into the works and turns something relatively simple into a larger, broader and more complex strategy - but overall a better one," he said.
The new rules create an uneven playing field, he wrote in a blog post.
In their current form the rules hurt organisations who detect more breaches, Drazic argued, which are most likely the firms with good security practices and accurate monitoring capabilities.
The new laws would force these security-conscious businesses to disclose more breaches while "clueless" companies, who don't know they been attacked, could simply plead ignorance.
"A better, more secure company, who knows what is happening in their IT environment, is in more danger of being negatively impacted than a less conscientious company," he said.
This meant the new legislation would not improve the quality of security through transparency. It could see companies "dumb down" their logging and monitoring capabilities, as well as governance, so they did not detect breaches in the first place. Therefore there would be fewer breaches to report, protecting their reputation.
"Without a level playing field, their less secure competition can plead ignorance to understanding whether a breach has occurred," Drazic said.
"So why continue the expense involved ... it would make better business sense to dumb down and minimise the risk of being put into a position of public breach disclosure."
When asked about the claims, a spokesperson for the Attorney-General's Department pointed to a report by the US Government Accountability Office, which found data breach notification requirements encouraged businesses to improve their security practices to minimise legal liability and avoid public relations risks.
Dreyfus has penned an opinion piece for Fairfax Media today, saying in addition to helping protect the privacy of individuals, the new laws will "provide an incentive for businesses to store information securely. No business wants a reputation for not keeping its customers' personal information safe," he argues.
His office said security practices would be strengthened through the Privacy Act and the Privacy Commissioner's ability to impose tough penalties on companies that did not comply with the new regulations.
The department spokesperson said: "The above measures will provide a strong incentive for private sector organisations to implement high standards of data security before the new scheme commences."
During a speech last week at the Privacy Reform and Compliance forum in Sydney, Dreyfus said the notification requirements were just the first step.
"This will act as an incentive to the holders of personal information to adequately secure that information, leading to an improvement in information security practices.
"A mandatory data breach notification scheme will also provide better information to government and the public on the scope and frequency of data breaches. That could be vital in the development of measures to combat the frequency and severity of data breaches."