Calls for compulsory data breach law v2.0

Telling your customers is just the start.

Australia needs laws to force organisations to own up to data breaches and clean up after their mess, delegates to an information security conference were told today.

US laws that required companies that suffered loss of personal information to tell their customers were a good start, but had to be reinforced with remediation, Symantec director of security and compliance Sean Kopelke told the Ecrime Symposium in Sydney.

Breaches typically occurred when malicious hackers broke in to computer networks to steal information such as credit card numbers from organisations, or through the incompetence of workers who disposed of information improperly or were conned into handing it to unauthorised recipients, a process known as social engineering.

"The concept of data-breach notification is a step in the right direction so long as it is balanced well," Kopelke said.

"The risk is we go too far that it puts a burden on organisations who can't handle it."

He said breach laws - if they were enacted in Australia - had to "have follow on".

"It's fine to notify [affected customers of a breach] but what are we going to do about it [afterwards]?

"The only cost to that [breached] organisation is brand protection and reputation. What things will be put in place to make sure it won't happen again?

"It needs not just notification but a subsequent follow-through process."

The average cost of a data breach was about $200 an individual, insufficient to spur a police investigation in most cases, the audience heard.

FBI legal attache in Australia, William Blevins, said police would not get involved in petty crimes but that one instance could be the tip of the iceberg for a broad-based fraud.

Australia would benefit from a central clearing house of information such as the Internet Crime Complaint Centre or IC3 in the US, which collected complaints from users of fraud or online child abuse, aggregating them and sending them to authorities if there was evidence of gross criminality.

"If you're going to sue for damages you've got to understand what those damages are," Kopelke said.

"As an individual, I'm not going to sue but that real cost goes back to the bank.

"It's a real cost [if] that $200 a record was multiplied by 100,000 records."

Organisations could use their heightened security posture as a marketing tool to differentiate them from their competitors, Kopelke said.