21/03/2017
Last month, the mandatory data breach legislation was passed by parliament.
This law will require companies to promptly investigate possible breaches but also disclose to affected customers when their valuable data has been accessed, lost or stolen. This will mean that organisations will need to ensure that incidents are not only properly investigated, but also that the organisation understands where its valuable data is located, how it is protected and that there is a proper management chain in place so that breaches (or suspected breaches) can be reported quickly.
For some companies this will mean little change in how they presently carry on their businesses. For others, this may mean changes and investments need to be made in cyber security and how incidents are reported. It will undoubtedly have an impact upon the culture of organisations – data breaches cannot be ignored and there will be no option about whether or not to notify affected customers.
I would like to think that it will not be seen as an opportunity for security teams to ask for significantly higher budgets for more technology. If anything, any budget uplift should be spent on raising awareness among staff about what this legislation means and the importance of protecting valuable customer data. All staff will need to understand what their obligations are in making sure incidents are quickly remediated and reported.
This law was designed to give consumers the opportunity to know whether their private information has been stolen or accessed by unauthorised third parties, and allow them time to further protect or change their information. And of course, in the event of a breach, it is supposed to drive organisations that store and use valuable information towards greater transparency to report and action the breach in a timely manner.
There are many views on the introduction of this legislation: will it place more reporting burdens on business? Will it result in costs around internal reporting structures so breaches are made known quickly? Will it mean “over reporting” of incidents? More money spent on security? Possibly yes to all those questions. However, where appropriate, that’s not necessarily a bad thing.
Asking businesses that hold valuable customer information to do all things reasonably necessary to protect data from theft and unauthorised access should be seen as a cost of doing business. Not only is it the law, it is good business practice. Irrespective of any legislative imperative, all businesses that hold valuable customer data should always know what data they hold; who has access to it; where it is across the globe; who is protecting it; and how well it is protected. I can assure you that in the event of a breach, you will want and need to know the answers to these questions.
But beyond the law, this legislation should not impose a huge shift for values-led organisations. It makes absolute sense that if valuable customer information (that is entrusted – and often demanded as part of delivering a product or service) is accessed or stolen, that this breach is disclosed to affected customers in a timely manner.
Customers – and this includes all of us as customers too – deserve to know about any breach that could mean our valuable data has been lost or stolen and we also need the opportunity to mitigate any damage in the best way possible.
There has been commentary around what the test for reporting and what “risk of harm” will mean. I would encourage all organisations to approach “harm” from the perspective of their customers and not apply a strict legal test. Harm when it comes to loss of personal information is, in my experience, always in the eye of the beholder.
I would also encourage all organisations who may approach this legislative change with some reluctance to consider it as an opportunity to get the right settings in place. Boards should want to understand what this legislative change means for them and whether they are managing their cyber security risks effectively.