Corporations need to balance data transparency and security: legal experts

The Internet is driving greater transparency of information but has also created more risk for corporations drowning in customer data, according to two legal experts.

“The environment in which we all operate today is one of greater openness and transparency,” former High Court judge Michael Kirby said at a book launch for Corporate Information and the Law by Leif Gamertsfelder.

“People who live in the age of the Internet and social networks expect greater transparency from everyone, particularly from people with power” including government and large corporations, Kirby told CIO Australia.

Corporations should be viewed as “custodians of information,” said Gamertsfelder, an executive legal counsel at Commonwealth Bank. “The integrity and trust attributed to a corporation will be a function of how well it discharges this custodial role.”

Maintaining good cybersecurity is critical to maintaining trust with consumers and other stakeholders, he said. “We have to acknowledge that the attacks will continue. Corporations around the country will be subject to hundreds of thousands of attacks daily. They are part of the road rules for the information economy now.”

However, “cybersecurity demands much more than good-faith implementation of whatever technologies may be available,” he said.

“Achieving sustainable security practices requires mature information governance frameworks,” he said. “It is a process which requires a top-down approach involving the board, senior management and—among other things—policies, practices, standards, threat or risk assessments, privacy impact assessments, audits, testing, education, change management and finally, the effective implementation and maintenance of technology.”

Corporations are “maturing” in their approach to disclosing data breaches, but it remains a difficult issue, Gamertsfelder said.

“You always have to balance the issue of false positives,” he said. “It’s not always clear whether or not an event has happened and if you report on the basis of incomplete information or inaccurate information, you’ll cause a lot of consternation and disquiet in the community amongst the population of consumers and then you might ultimately find out there was no issue whatsoever.”

Gamertsfelder urged caution to policymakers considering mandated data breach notifications to the public. “Having a law which imposes penalties needs to be well thought through before it’s implemented.”

A flood of electronic information

Kirby warned Internet users to carefully consider the trail of evidence they leave when they write emails and post on social media.

Email and social media has added to an expanding amount of electronic evidence now available to courts, he said. “It’s created an overwhelming mass of information that threatens to drown us all.”

“Anything that people produce is ultimately deliverable to a court. There will be sometimes exceptions, but the law will normally provide access to the court to the best of all information and evidence, and that will include where it exists social media created by relevant witnesses or parties,” he said.

“I think that’s something that people don’t always think about when they create their social media,” he said. “It may have significance in a completely different environment sometime later.”

“Many a murderer goes to his fate or her fate because of the folly of the emails.”

Follow Adam Bender on Twitter: @WatchAdam

Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia