Despite the ongoing efforts of most government agencies to improve and protect users and consumers from the damage brought about by IT security breaches and attacks, laws still remain weak across Asia Pacific.
?Apart from countries like Singapore and South Korea, majority of Asian countries still have weak laws against hackers who have been increasingly launching more attacks at businesses,? said Ken Chia, principal of Singapore-based law firm Baker & McKenzie, Wong & Leow during the MediaConnect Asia security forum.
He added that although it is ideal that companies or organizations should be made liable to their customers in case their private information or data is stolen during security breaches or hacking attacks, most businesses still continue to find legal loopholes to escape liability.
?Since there are not many established and defined laws on IT security, many businesses still manage to break away from liabilities even in cases where there are clear security breaches in their network and database systems,? Chia noted. ?The law is flexible so the industry should work harder in trying to establish more event-specific laws.?
At present, the implementation of superior IT security systems still remains to be optional in most regulatory compliances for businesses across Asia.
A recent report from CIO magazine and Pricewaterhouse Coopers concluded that there is a notable lack of focus in coming up with measures and strategies to prevent security incidents among corporations worldwide.
Only 37 percent of the 8,200 IT and security executives commissioned to take the survey had reported that they had an information security strategy in place while around 24 percent of the rest said that creating one is going to be part of next year?s corporate strategy.
The study also reported a remarkable ambivalence among respondents when it comes to compliance with government regulations as well as a clear lack of risk management discipline and a continuing inability to create actionable security intelligence out of bulk numbers of data.
On the bright side, however, he also pointed out that various new laws are continuously coming out, trying to push business organizations to put an IT security system in place in exchange for several company incentives.
Chia noted that in more advanced countries like the U.S., the enactment of new laws such as the Sarbanes-Oxley Act 2002 and other personal data privacy and security bills have forced nearly 85 percent of multinational companies to invest in deploying IT security as part of business regulatory compliance.
Included in the Act is a passage that mandates all corporations to inform its customers, clients, partners, and members of its supply chain on the impact of possible security breaches that could compromise their personal data including social security numbers.
Groups are also actively pushing compensations for consumers who have been affected by the attacks and fines for organizations whose systems have been breached.
?Although quite slow in pace, we are fortunate that the trend is moving towards Asia. Legal obligations to provide security is emerging, including privacy policies and liabilities of organizations,? said Chia.
In Singapore, organizations could now be sued for negligence in cases where their networks or databases systems are breached.
?Early this year, legal lawsuits against security breaches encountered by several credit card companies like Visa and MasterCard served as an example of the emerging trend in legal liabilities companies are being faced with today,? Chia said.