'Stronger data breach laws needed in Asia'

Governments in Asia need stronger data-breach laws to ensure businesses improve the security of their customer data, according to a senior CA executive.

Jerry Cox, CA's director of security sales for the Asia-Pacific region, including Japan, said in an interview: "Strong laws would force a company to disclose security breaches often involving the loss of customer data."

This, Cox explained, would protect the people whose data was compromised. Strong data-breach laws would also ensure companies took data security more seriously, especially if there were penalties in the form of monetary fines, or risks of reputation damage due to public disclosure.

According to Cox, Japan and Korea are ahead of most parts of Southern Asia in establishing such laws.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

"In Japan, companies pay for security breaches in the form of an 'apology fine', sometimes per user account affected, which can amount to millions of dollars," he said. "Unfortunately, most of Southern Asia is not at [the] level [of Japan] yet.".

Cox said California is an example of strict data-breach laws "driving good security practices". California's law - SB 1386 - requires businesses to disclose data-security breaches to residents if their unencrypted personal information is compromised. Other US states have since introduced similar laws, and the UK is moving in that direction.

Noting that the penalties in Asia are often disproportionately low in relation to the crime committed, Cox said: "In Singapore, spammers can be fined. But you've got half the population online, so it's a bigger crime than it seems, and the penalties should be more severe."

Cox added: "In the United States, the penalty for spamming is jail".

On what would be a long-term measure to protect data, Cox suggested educating people to be more careful and aware of "sound security practices".

Cox also highlighted the importance of establishing a good security foundation before implementing "higher level" security measures such as identity management.

Explaining what constitutes a foundation of "sound" network security, Cox said that putting up firewalls and antivirus protection, as well as building policies around user permissions, should be completed before implementing ID management.

Companies that do not have a good foundation, risk the failure of automated security processes such as ID management, and compared to their western counterparts, more companies in the region are going down this path, Cox warned, noting how easily available such technologies are in Asia.

Cox said: "While the United States went with the evolution of security tools, companies in Asia have a lot to choose from, even if their organisations are not ready." Unlike many Asian companies, those in the US "grew" their security implementations, with the sophistication of the tools available, over time, he said.

He added that enterprise security policies may not be as developed in Asia, and estimates companies in this region to be "five to seven" years behind their US counterparts, despite having access to the latest technology.

Victoria Ho writes for ZDNet Asia