As someone who has been campaigning for mandatory data breach disclosure laws in Ireland for a number of years I am pleased to see the proposed Data Security Breach Code of Practise from the office of the Data Protection Commissioner. I have long argued that organisations need to realise that the data they hold on staff and customers is not theirs but rather has been entrusted to them by those individuals. The purpose of breach notification should not be to punish the organisation that suffered a breach but rather to help the affected individuals take appropriate steps to protect themselves, especially nowadays with identity theft and financial fraud being so rife.
The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small amounts of sensitive personal data. Yet, companies who have not taken the appropriate measures will indeed be obliged to admit to their shortcomings and shoulder the responsibility for same.
The other benefit I see from this proposed code is how as an industry we all can learn from the mistakes or misfortunes of those who suffer a breach. I believe we would not have as many encrypted laptops and other mobile devices that we do today were it not been for the widespread publicity of lost unencrypted devices in the past. While you can argue that encryption alone is not the answer and may simply be a knee jerk reaction it is at least a step in the right direction. Those attacking our systems are sharing the potential exploits and weaknesses amongst each other, having breach disclosure laws in place helps those of us tasked with defending those systems to better shore up those defences and potential weaknesses.
Ireland has shown itself to be a leader in introducing legislation to benefit its citizens, the smoking ban and plastic bag tax being two that come to mind. The introduction of the Breach Code of Practise is another example of how Ireland can better protect her citizens and provide an effective information security governance framework for businesses to follow.
I would be interested in your thoughts on the matter. Why not share them below in the comments or indeed submit your feedback to the Data Protection Commissioner.