This white paper provides ten recommendations for data breach and information security policy, drawn from published research and extensive experience with data breaches, breach notices, and information security more broadly.
The Dos and Dont’s of Data Breach and Information Security Policy:
- Don’t equate data breaches with identity fraud or other consumer harms.
- Don’t become so preoccupied on data breaches that you lose sight of other, far more serious, security risks.
- Don’t count the cost of poor security just in economic harm to individual consumers or businesses.
- Don’t trivialize breach notices by requiring them when there is no reasonable risk of harm.
- Don’t go it alone.
- Do take data security seriously.
- Do create incentives for good behaviour.
- Do collaborate to succeed.
- Do anticipate, don’t just react to, threats.
- Do be realistic.
