ADMA warns against mandatory reporting after Catch of the Day delayed revealing breach for three years
The Association of Data Driven Marketing and Advertising (ADMA) has warned that forcing companies to report data breaches could see consumers unnecessarily “flooded” with reports that their personal details may have been compromised.
Chief executive Jodie Sangster said making it mandatory to notify the Privacy Commissioner could be counter-productive as genuinely serious breaches may be lost amid a mass of unnecessary warnings.
Her comments came after news emerged that daily deals website Catch of the Day told consumers of a potential security breach three years after the incident.
The company claimed it had worked through the issue back in 2011 and only told the public of the breach now because advances in technology meant it may now be possible for passwords to be compromised.
Under current laws companies do not have to report breaches to the Privacy Commissioner. Although the debate over changing the regulations to make it compulsory is currently off the agenda, Sangster predicted the discussion will resurface.
She told Mumbrella that breaches where there was “no risk” to consumers did not need reporting.
“What ADMA would say is that if the consumer is put at risk with the type of data that has been breached then it is best practice to let them know,” Sangster said. “What we don’t want to happen is that every time there is a breach you have to go out and tell consumers.
“It should only be made compulsory if we can get to a sensible position whereby it’s of benefit to the customer and they are not going to get flooded with data beach notifications.
“If we go down the path of making it mandatory for every breach to be reported then the ones that are serious are not going to get through.”
Steve Jones
Really Jodie, is that the best argument you can come up with? And who exactly decides whether the consumer is at risk?
I’m the Privacy Officer at my full-service agency and I’d frankly be horrified at having to make a judgment call as to when “at risk” was appropriate.
User ID not verified.
As a customer I would much prefer my inbox filled with mandatory data notifications rather than my credit card statement with fraudulent transactions.
User ID not verified.
When is a breach of data not serious?
User ID not verified.
“What we don’t want to happen is that every time there is a breach you have to go out and tell consumers.”
And this is why it needs to be mandatory; you don’t want to do the right thing, so given the option, you won’t.
User ID not verified.
You would think that Direct Marketing professionals would be better at marketing their own position. It’s a terrible look for privacy reductions to be promoted by an organisation with vested interests.
User ID not verified.
#FacePalm.
#OwnGoal
User ID not verified.
The lack of self-insight displayed by these comments from ADMA is stunning. The horrified reaction to this from ‘normals’ i.e. people outside the industry, should tell them something.
User ID not verified.
What do you expect from an events business masquerading as an industry body.
ADMA is in the business of putting on expensive events not protecting consumers nor its stakeholders.
User ID not verified.
Jodie
Please give a yes or a no regarding whether this is your official position. It comes across a ignorant, misinformed and also creepy.
Thankyou,
About to stop being a member
User ID not verified.
Surely there should be some threshold to reporting? I, for one, do not want to search through a haystack of notification emails to locate the one material breach needle that I may be concerned about.
User ID not verified.