A survey by Logica, an IT and business services company, has found that 60% of those who have experienced a data breach did not tell their clients and half failed to tell the police or authorities. Moreover, more than half of the companies fail to understand the impact of a security breach.
Earlier this year, the Australian Privacy Commissioner issued a consultation paper concerning voluntary disclosure of security breaches involving the inappropriate exposure of private data, and requested public comment on a draft voluntary breach disclosure guide. Gartner’s Andrew Walls, research director for security, risk and privacy, comments that the content of the draft disclosure does not create a consistent or well-defined approach for the determination of when disclosure is required, who should be notified of a breach and the speed at which disclosure should occur following the breach.
Walls says, “It is extremely unlikely that Australian organisations will voluntarily disclose security breaches without legislation mandating breach disclosure by all organisations managing private data.
“Organisations that comply with the voluntary guidelines place the reputation or their organisations at risk. Most are unlikely to voluntarily disclose breaches to the public if their competitors are unwilling to do so.”
An amendment to the Privacy Act requiring disclosure of privacy breaches has been proposed and is under review of Parliament, but it does not contain operational guidelines for breach disclosures.
Gartner recommends that security professionals study the Privacy Commissioner’s guide carefully and assess the impact of achieving compliance with its recommendations. The Privacy Act is not likely to be updated to include mandated disclosure until 2010 at the earliest but it is important to be prepared.
The Logica survey revealed that more than half (57%) of those surveyed have “no idea” or understanding of the impact of a security breach on their business or organisation. A continued lack of engagement with the issue is evident, with just 16% of firms having a 'Value at Risk' profile for information assets they own/control; with half of respondents believing that security is solely an IT departmental issue.
Tim Best, director enterprise security solutions at Logica, commented on the findings: “Data losses put customers at risk and can lead to large contracts being withdrawn, and it increases the likelihood of financial and reputational consequences.
“It is time to take action — it should be mandatory for all organisations to report significant breaches of confidential personal information to their regulatory body. Only through mandatory reporting will the scale of the problem be understood, which will lead to the correct solutions being applied.”
Best adds: “Security should not be the sole responsibility of the IT department; it is a boardroom issue and the focus must be to protect the trust that clients have in an organisation. If you have experienced a security breach, it is essential to conduct a risk assessment to understand the issue and avoid a reoccurrence. All organisations must put in place mandatory services and policies which enable compliance with legal requirements and establish coherent, comprehensive and cost-effective security controls and policies throughout the organisation.”
