The head of the Association for Data-driven Marketing and Advertising (ADMA), Jodie Sangster, has clarified her position on mandatory reporting of data breaches, telling SmartCompany it is a company’s responsibility to report a breach only if it puts consumers at risk.
Sangster’s comments come as mandatory reporting is again put in the spotlight after Catch of the Day last week reported a data breach three years after it took place.
Mumbrella recently reported Sangster had warned against mandatory reporting, as it may see consumers unnecessarily “flooded” with reports that their personal details may have been compromised.
“On the question of whether or not ADMA supports mandatory reporting, the position we take is, if it’s going to be mandatory, we need to set a sensible benchmark,” says Sangster.
“If you set the threshold too low, consumers may be unnecessarily alarmed if they are not at risk.”
Sangster says if there are any circumstances in the data breach that present a risk to consumer’s security, then it is “best practice” for a company to report the breach to those affected.
But she says if the breach does not put consumers at risk, then it is not necessary to report it.
Even accidently ‘cc-ing’ email addresses in an email – rather than ‘bcc-ing’ them – is considered a data breach, according to Sangster. She says reporting such small data breaches would dilute the meaning of the warning in the event of a serious data breach.
Sangster says there is no need for business to add extra red tape in reporting all data breaches, but companies should be aware they have a responsibility to protect data and should abide by this best practice.
While the best practice is currently in ADMA’s code of conduct, legislation against data breach reporting has failed to pass the federal parliament several times.
Sangster says this is because the Privacy Commission’s guidelines are currently working.
“Let’s introduce legislation when we do have problem,” she says.
“Are there daily data breaches happening? Probably not. Are there incidences where companies need to tighten security? Absolutely.”
In regard to Catch of the Day’s recent move to report a breach three years after the fact, Sangster says she is not aware of the reason the company would only now decide it should tell its customers.
“Catch of the Day has said there was no risk to consumers. I’m not sure why they waited three years, there must be a reason, but I don’t know what that reason is,” she says.
Image credit: Flickr/altemark