Jul 30Should All Breaches Be Equal under the Law?
Australia’s ADMA Head Says Breaches Should Only be Reported if Consumers’ Personal Information is at Risk
Catch of the Day, an Australian online shopping site, recently reported a breach that happened three years ago. And, in the same virtual breath, the company said there was no risk to consumers.
So, if there were no risk to consumers, was it necessary to report the breach at all? That’s the point that Jodie Sangster, head of Australia’s Association for Data-driven Marketing and Advertising (ADMA), is making in an article by Kirsten Robb on startupsmart.com (link to article).
Sangster warns against mandatory reporting when consumers’ data is not in danger of being compromised. “On the question of whether or not ADMA supports mandatory reporting, the position we take is, if it’s going to be mandatory, we need to set a sensible benchmark. If you set the threshold too low, consumers may be unnecessarily alarmed if they are not at risk.”
According to Sangster even accidently “cc-ing” email addresses in an email – rather than “bcc-ing” them – could be considered a data breach. And, reporting such small data breaches would dilute the meaning of a warning in the event of a serious breach. Additionally, she notes that reporting every possible breach leads to a lot of unnecessary red tape.
Observes Sangster, “Are there daily data breaches happening? Probably not. Are there incidences where companies need to tighten security? Absolutely.”