Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

Should All Breaches Be Equal under the Law?

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Australia’s ADMA Head Says Breaches Should Only be Reported if Consumers’ Personal Information is at Risk

Catch of the Day, an Australian online shopping site, recently reported a breach that happened three years ago. And, in the same virtual breath, the company said there was no risk to consumers.

So, if there were no risk to consumers, was it necessary to report the breach at all? That’s the point that Jodie Sangster, head of Australia’s Association for Data-driven Marketing and Advertising (ADMA), is making in an article by Kirsten Robb on (link to article).

Sangster warns against mandatory reporting when consumers’ data is not in danger of being compromised.  “On the question of whether or not ADMA supports mandatory reporting, the position we take is, if it’s going to be mandatory, we need to set a sensible benchmark. If you set the threshold too low, consumers may be unnecessarily alarmed if they are not at risk.”

According to Sangster even accidently “cc-ing” email addresses in an email – rather than “bcc-ing” them – could be considered a data breach. And, reporting such small data breaches would dilute the meaning of a warning in the event of a serious breach. Additionally, she notes that reporting every possible breach leads to a lot of unnecessary red tape.

Observes Sangster, “Are there daily data breaches happening? Probably not. Are there incidences where companies need to tighten security? Absolutely.”

By ThreatMetrix Posted