Data breaches: just like cockroaches
The recent spate of data breaches has made me long for data breach laws like a pregnant woman craves pickles.
Recently, not only has Vodafone had a bit of a privacy stumble (or explosion, whichever you'd like to call it), but so has Telecom NZ, the Sydney Festival, Telstra, Trapster, Gawker media and TPG.
Now, there's nothing forcing these companies to tell us about their data breaches. It's all about gambling. If a company finds out about a breach, it can either come clean and suffer a loss now (how large depends on how bored the media is) or hold onto the knowledge in a sort of double or nothing deal.
If the company's lucky, the breach never becomes public and it escapes scrutiny for whatever data screw-up it's gone through. If it's unlucky, the breach comes out later and is potentially more damaging than if it'd said something first up.
Look deep inside your soul and ask yourself which option you think companies are more likely to take.
I believe I know which one they would take (backed up by research, albeit with a small sample size), which makes me think that data breaches are just like cockroaches. If you see one, there are bound to be hundreds lurking around somewhere where you can't see them.
So, while there's not a whole lot I can do about the cockroaches, there is something we can do about the data breaches. We can force them out of those comfy little dark holes they so love to hide in via data breach laws.
Yes, that's right companies, you must tell us if you accidentally spray our data all over the internet. You must tell us if our credit card details land fortuitously in the email box of the closest mob chief. You must tell us if you even think our data has been exposed.
Unfortunately, such laws are still a long way off. They were on the table as part of a privacy law revamp started back in 2008, but unfortunately they were relegated to the second tranche of a long process. Since the first tranche of that process hasn't even finished yet (a committee is looking into the legislation, due to report this year), I feel that data breach laws might as well be on the other side of the moon.
Could our system of introducing legislation be any slower?
I for one wish the process could be accelerated. Because until companies are forced to be accountable for any mess they create, there's no real incentive not to create it.