Microsoft’s chief privacy officer, Peter Cullen, said the introduction of data disclosure laws in Australia should not be the centerpiece of an organization’s data protection strategy.
While Cullen believes legislation does have a role to play, he said the real focus should be prevention first and foremost. “Disclosure laws respond to a situation where the horse has bolted; it is better to focus on how to secure the barn,” he said.
“Breach notification has a role to play if consumers are harmed but a notification everytime information is misplaced isn’t necessary; there will be so many notices that they will have little impact.
“There is a lot of media attention around security breaches in the United States but it isn’t just happening there; it’s happening all around the world.”
As reported Monday in Computerworld a discussion paper will be released in coming weeks recommending the introduction of data disclosure laws in Australia.
It is part of a review of the Privacy Act and would force organizations to notify customers of security breaches.
Final plans around the introduction of the data disclosure laws go before the Federal Attorney General, Philip Ruddock, early next year.
Cullen responded to the privacy review during a recent visit to Australia which included Brisbane, Sydney, Canberra and Melbourne.
Cullen met local IT managers promoting the message “good privacy is good business”. He said privacy has to be at the forefront of plans when IT managers are designing systems.
“It is a challenging task when you think about how malware has taken on such an active and devious focus. It really puts pressure on IT managers, not to mention the growing complexity of compliance across international borders, that’s an enormous task,” he said.
“IT managers have to balance privacy with business objectives. While laws have a role to play, the real big stick here is reputation risk.”
Cullen said it is hard to make privacy a business priority in Australia because there hasn’t been a string of high profile breaches to drive a more pro-active approach.
He said the real damage created by poor privacy protection is consumer trust and how it hurts the industry overall.
“An organization can have the world’s greatest product but if the organization isn’t trusted it won’t have any appeal,” Cullen said.
“We need to arm users to protect themselves.
“IT managers feel like the meat in the sandwich because they have to provide systems that meet business objectives while still protecting data.”
