The Attorney-General's Department is polling the public for its views on the introduction of mandatory data breach-notification laws, with the department releasing a discussion paper today.
Data breach-notification laws were first raised by the Australian Law Reform Commission (ALRC) in 2008, during an inquiry into Australia's Privacy Act, but the recommendation to amend legislation is yet to see any parliamentary debate.
The discussion paper (PDF) goes over the current factors both in favour of and against introducing legislation that will require those regulated under the Privacy Act to disclose when they have experienced a breach of security that leads to the loss of customer and/or user information.
Questions raised in the paper cover whether Australia needs breach-notification legislation, and who it should be applied to. It also opens the discussion to the specifics of how legislation should be applied, if it goes ahead.
This includes discussing what severity a breach should rise to before organisations are required to report a breach. The paper recognises the fact that much of the debate focuses on the "trigger" level for notification, raising the issue that forcing notifications for minor breaches may introduce "notification fatigue." Similarly, the paper points out that simply putting into place a notification trigger based on the number of records disclosed may not be ideal, as the type of information lost will have an impact on whether the breach is significant.
The paper further asks who the breach should be reported to — whether it should be the Privacy Commissioner, the affected persons, or both, along with what information is provided to each.
Timeliness of the notification is also a topic up for discussion, with the paper stating that if an affected person is notified too late, they will have no time to take corrective action, while too early can be unrealistic, since organisations often don't know that they've been hacked until sometime later.
Failing to notify relevant parties of a breach in a timely manner is expected to bring penalties against the offending organisation, and the paper is seeking the public's views on whether this is necessary — and, if so, what an appropriate penalty would be.
The paper also raises the question of whether law-enforcement organisations should be allowed an exception in the case where reporting a breach would be contrary to public interest.
The Attorney-General's Department is accepting submissions until November 23, 2012.