Lisa Banks reports:
The repeated hacking of Sony’s PlayStation Network hack has demonstrated the need for Australia to adopt mandatory data breach disclosure laws, a local security director has claimed.
While the PlayStation Network was back up and running for Australian users today, director of Clearswift, Phil Vasic, said mandatory disclosure laws would help prevent similar security issues from arising again.
“I think we need some kind of law in regards to mandatory disclosure,” he said. “…but the question on fines really needs to be decided via the Privacy Act.”
Read more on Computerworld (AU).
Somewhat ironically in light of debates here about the value of breach disclosure laws, Vasic argues:
disclosure laws have driven US companies to achieve best practice outcomes, and that such legislation in Australia could have a positive impact in reducing the number of cyber attacks and prevent the privacy act from continuing to be a toothless tiger.
“The onus locally has been really for the government to somehow become more responsible with mandatory disclosure laws,” Vasic said. “The US has had those for a while now and that’s helped from a customer perspective and drives the right kind of best practice behaviour.
If that were true, then why did Sony not even encrypt passwords after so many years? It is hard for me to guess what impact, if any, disclosure laws had on Sony’s security decisions, but I would venture to say that the exposure of their customer data and weaknesses – disclosed by hackers before any disclosure by Sony in response to any state laws – may have a bigger impact on their security going forward.