Global consensus on data breach legislation is still evolving, but fear of brand damage is pushing reform, reports James Hale.
The Information Age introduced two universal truths: Data is a commodity, and as such, is prone to attack for either profit or other purpose. Beyond that, nothing is a given.
How data is treated, and what happens when its security is breached varies widely, depending on whether the breach occurs in Boston or Berlin, Oregon or Ontario. Data breach notification legislation has evolved in isolation and no two jurisdictions have taken exactly the same approach. Some countries – most notably Australia – lack mandatory notification laws altogether. As a result, doing business with foreign entities requires negotiating a patchwork quilt of legislation, and being a consumer whose personal information has been compromised means being treated differently, depending on which side of the divide you reside.
Newly enacted legislation in California – where Senate Bill 46 became law on Jan. 1 – and a proposed directive by the European Parliament promise increased clarity and consumer protection. In California, the definition of personal information has been expanded to include “a username or email address, in combination with a password or security question and answer that would permit access to an online account.” The EU reforms – the first since 1995 – will impose 24-hour breach notification across all 28 member countries and steeply increase fines for breaking the rules.
As forward looking as these new laws are, the evolution of policy continues to lag behind technology. Some observers believe that will likely continue to be the case for the foreseeable future.
Jack Daniel, technical product manager, Tenable Network Security
Rhiannon Davies, associate, DAC Beachcroft
Michelle Dennedy, chief privacy officer, McAfee, An Intel Company
Patrick Hill, lawyer, DAC Beachcroft
Marc Vael, international VP, ISACA; head of internal audit, Smals
“It takes time to legislate change,” says London-based lawyer Patrick Hill, whose international law firm, DAC Beachcroft, published an extensive guide to data breach laws around the world. “Perhaps we will get smarter, but I suspect that policy will always be reactive.”
In fact, says Marc Vael, international vice president of ISACA, the nonprofit advocacy organization for professionals in information security, assurance, risk management and governance, and head of internal audit for Smals, a Brussels-based information technology and services firm, the burst of legislative activity in both the EU and California is likely a result of the growth of social media and resultant consumer demand. “The commercialization of social technologies has been a game changer in breach notification,” Vael says. “There is a global consensus that people have the right to know about what is happening to their data and a perception that data is being abused.”
Other experts agree. “Big Data is like teenage sex,” says Michelle Dennedy, chief privacy officer of Santa Clara, Calif.-based McAfee, An Intel Company. “Everyone is talking about it, but anyone actually doing it is probably doing it badly.”
Her view is that legislators and policy-makers are well meaning when it comes to consumer protection, but the follow through is lacking.
“Privacy polls very well during election years,” she says, “and it is logical that the result would be one consistent law, but no. What happens is that legislators all go in different directions.”
Where those legislators go may address consumer concerns, but observers say that the EU response – which must proceed through council discussion before its scheduled adoption in May – is an example of how they often fail to take into account the realities of data collection, storage and use.