NZCS supports mandatory disclosure of security breaches
PRESS RELEASE – NZ Computer Society Inc. (NZCS)
2 August 2011
The New Zealand Computer Society (NZCS) today welcomed the recommendation from the Law Commission for mandatory
disclosure of serious security breaches.
NZCS Chief Executive Paul Matthews said today “The New Zealand Computer Society (NZCS) strongly supports the mandatory
disclosure of serious security breaches and welcomes the recommendation from the Law Commission to finally put this in
place in New Zealand”.
“One of the fundamental concepts of privacy is control of your own information. Being made aware of when this
information falls into the wrong hands is essential”, Matthews said.
The Society recommends that staff with responsibility for security undergo security-specific training and certification
and all staff with responsibility for projects or teams be accredited with the overarching IT Certified Professional (ITCP) Certification.
“While sometimes genuine mistakes do happen, all too often breaches are entirely avoidable and occur due to lax security
and unqualified staff not following good practice”, Matthews said. “Businesses need to understand that if they don’t
take security seriously it can have dramatic consequences both for their customers and their reputation”.
A big issue under the current law is that unless breaches become public through the media or other means, there’s no
incentive for unethical companies to disclose major breaches especially where they’ve occurred due to lax security. In
fact there’s a disincentive given the damage to reputation that can ensue.
“With mandatory reporting of serious security breaches we’re entering a new era”, Matthews said. “Some breaches will
occur and undoubtedly some companies will be exposed. If these companies can’t show they’ve taken reasonable precautions
such as insisting their providers are properly trained and certified, the cost will be high in reputation and dollar
terms”, he said.
“However it’s more than just reporting. Albeit necessary, that’s the proverbial ambulance at the bottom of the cliff. IT
companies need to be proactive in relation to security and privacy”, he said.
“To put it another way, in conjunction with mandatory reporting people need to stop saying ‘we were hacked’ and start
saying ‘our approach to online security needs attention’”, Matthews concluded. “It’s time New Zealand companies got
serious about security”.
ENDS