Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Australia's mandatory data breach disclosure laws will slipstream behind the Federal Government’s proposed reforms to give individuals power to sue if privacy is compromised.
A discussion paper for the proposed privacy reforms (pdf) announced last week by Home Affairs Minister Brendan O’Conner could introduce among others a statutory cause of action for individuals who have suffered serious invasions of their privacy.
A spokesperson for O'Conner said, without naming a date, that "proposals for mandatory data breach notification rules [would be] considered by the government once foundational reforms to the Privacy Act have been progressed."
The department said it was “well advanced” in its consideration of the privacy reforms that proceed the data breach notification proposal.
Public consultation on the privacy reforms ends 3 November.
Recommendations for data breach notification laws by the Australian Law Reform Commission (ALRC) made in 2008 have remained in a state of consultation for years.
But O’Conner’s department said it would bring forward consideration of the proposed laws if it was presented with evidence that information security within businesses was inadequate and loss of personal information was increasing.
“If there is evidence that the problem [of data breaches] is growing, and companies are not protecting their customers’ private information appropriately, the government will consider bringing forward consideration of the ALRC's [data breach notification] recommendation,” the department spokesperson said.
If adopted, Australian businesses could be required to publicly disclose instances of data loss where customer information had been compromised.
Based on US laws, this could include instances where staff had lost laptops, USB sticks or data theft through hacking.
There were no requirements in Australia for organisations or individuals to report data loss and no mandatory punishments for those that do.
And the government may find it difficult to encourage businesses to come forward and admit to data loss. Dozens of SC information security sources unanimously say that businesses were encouraged by lawyers and insurance companies not to report data loss.
Those who work to rectify and mitigate security breaches say the scale of data theft dwarfed that known by the government and reported in the media.
Visa had identified that some 40,000 small to medium sized businesses were at high risk of becoming victim to data breach and losing credit card data.
Fraud in these buisnesses was thought to be lower–value but very common, with almost all instances unreported to government or the media.
Government investigations into data breaches rose 27 percent last year.
O’Conner’s department said it would still consider data breach notification laws despite that privacy reform documents referred to a statement by New Zealand privacy advocate Professor John Burrows that it could be unnecessary if such a statutory cause of action was introduced.
The Australian Information Commissioner had previously issued voluntary guidelines for data breach notification.
Privacy commissioners may impose undertakings on businesses found to have breached data but these typically included only basic improvements to security arrangements.
Data breach laws according to the recommendations could “provide commercial incentives for organisations to take adequate steps in the first place to secure data.”
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.