A priori, les compagnies n’aiment pas forcément cela mais il faudra passer par là si l’on veut un jour un niveau plus élevé de sécurité : je viens de trouver via le blogue de Bruce Schneier, encore lui, une intéressante étude s’intitulant « Security Breach Notification Laws : Views from Chief Security Officers » du Samuelson Law, Technology & Public Policy Clinic, University of California-Berkeley School of Law (décembre 2007). Elle fait l’état des lieux des quelques lois américaines faisant état des « Security Breach Notification » ou « avertissement de bris de sécurité ».

Une étude que je m’engage à lire (52 pages) bientôt semble clairement proposer cette direction, et ce, même d’une perspective de l’industrie comme on peut le lire ci-dessous :

This study surveys the literature on changes in the information security world and significantly expands upon it with qualitative data from seven in-depth discussions with information security officers. These interviews focused on the most important factors driving security investment at their organizations and how security breach notification laws fit into that list. Often missing from the debate is that, regardless of the risk of identity theft and alleged consumer apathy towards notices, the simple fact of having to publicly notify auses organizations to implement stronger security standards that protect personal information.

The interviews showed that security breaches drive information exchange among security professionals, causing them to engage in discussions about information security issues that may arise at their and others’ organizations. For example, we found that some CSOs summarize news reports from breaches at other organizations and circulate them to staff with "lessons learned" from each incident. In some cases, organizations have a "that could have been us" moment, and patch systems with similar vulnerabilities to the entity that had a breach.

Breach notification laws have significantly contributed to heightened awareness of the importance of information security throughout all levels of a business organization and to development of a level of cooperation among different departments within an organization hat resulted from the need to monitor data access for the purposes of detecting, investigating, and reporting breaches. CSOs reported that breach notification duties empowered them to implement new access controls, auditing measures, and encryption. Aside from the organization’s own efforts at complying with notification laws, reports of breaches at other organizations help information officers maintain that sense of awareness.

Une perspective encore une fois conforme à un document de travail d’Industrie Canada (en français et en anglais) que je me m’évertue de citer (ici et là) et de considérer comme majeur mais dont la pertinence a bien du mal à être considéré de ce côté là de la frontière. Le projet de loi C-27 sur le vol d’identité n’en parle pas, adoptant une attitude d’un classicisme bien insatisfaisant (à savoir, on criminalise le comportement, ok, mais la prévention n’apparaît pas très valorisée).