Privacy Commissioner lukewarm on data breach disclosures

by Stephen Withers

Monday, 25 August 2008

Page 2 of 3 A hypothetical example from the Guide concerns documents being inadvertently printed on the back of paper that already carries sensitive information. Since the documents have been distributed to other parties, it isn't possible to be certain about the ultimate fate of each one (some may have been securely destroyed, but others probably haven't). Apart from anything else, the organisation concerned may not be in a position to judge the sensitivity of any particular record. For example, the Guide suggests "A breach to a women's refuge database containing name and address information may expose women who attend the refuge to a violent family member." No arguments there. But what if a utility company's database was breached, and among the names and addresses revealed was that of an individual fleeing family violence? Or, possibly less seriously, what if a name, address and phone number were revealed for someone that's chosen a silent number? The second possible reason for not notifying individuals of all breaches that may affect them might concern about warnings of important breaches being lost in the noise of less important cases. But doesn't that imply that far too many breaches are occurring? If there was one breach a month but only one a year turned out to be serious, there wouldn't be a problem. But if an individual received a hundred notifications every month, then he or she might end up treating them all as noise? Is there a parallel with the way Vista's frequent security warnings tend to lead users to either blindly click through them, or to turn off the feature altogether? Does a weak notification regime shift the costs onto the wrong parties? Please read on. << First page <   1 2 3 Next page > Last page - Post your comment >>

 

< Next story in category		Previous story in the category >

Visitors last 30 days Suscribers

904,266 13,751