Data-breach notification legislation is inevitable, according to the Office of the Australian Information Commissioner's (OAIC) assistant commissioner of compliance Mark Hummerston, and organisations need to ready themselves.
Speaking at SecureSydney 2012 this morning, Hummerston provided his personal view on the state of data breaches in Australia, and the pending legislation.
"I'm not a betting person, but I would bet that we will see mandatory data-breach notifications scheme in Australia probably introduced late next year, with some interim period for people to get their acts in order," he said, while also issuing a warning to companies that haven't yet taken the right precautions to safeguard user information.
"It's going to happen in Australia, [and] organisations need to be ready because when it comes around, there'll be less tolerance by my office."
When investigating companies that have experienced a data breach, Hummerston said that the office is very thorough due to the principle-based nature of the Privacy Act. Australia doesn't have laws that clearly state when someone's privacy has been breached, but rather a set of principles (which are currently undergoing reform) that can often be open to interpretation.
"The principle requires that an organisation must take reasonable steps to protect the personal information involved from misuse and loss, and from unauthorised access or disclosure. A lot of the work I do is around 'what are reasonable steps?'"
This means that for each breach, the OAIC needs to thoroughly assess the data that the organisation is holding, and determine what security measures are appropriate. For example, the assessment would expect to see greater levels of security in place if a database contains names and addresses than if only email addresses are stored. The assessment also takes other aspects of security into consideration.
"We do look at physical security measures, [such as] whether the secure storage structured facility is in place, we look at the computer and network security measures and we look at the communication security — are emails protected from unauthorised interception and intrusion?"
The OAIC also looks at security policies and procedures that regulate how staff and others can access personal information in databases, and how they might be able to share, move or publish that information. While the Privacy Act does not consider leaks of information by a single individual as a crime, a person who uses their organisation's resources to breach the Privacy Act places the organisation under the scrutiny of the law, since the organisation should have steps in place to prevent this from occurring.
"We look at the whole suite ... and then we make a judgment about whether [the] reasonable steps test has been met."
Hummerston offered advice to businesses based on some of the more common mistakes that his office sees.
"When your organisation is collecting information, whether it's online, or a form you fill in or over the counter with someone's name, taking notes about what the customer is saying, you need to think about the information you're collecting, [and] whether it's necessary for the purposes of your organisation. If it isn't, you're in breach of Australian law. If you collect it by mistake, you're in breach of Australian law."
He used the example of hotels photocopying customers' drivers licences as being an instance where information is being collected but is not at all needed.
"My driver's licence contains my organ donor status — that's health information."
He also warned companies that have experienced a data breach in the past.
"If tomorrow Sony PlayStation is subject to another hacking attack and it comes to us at the regulator, the reasonable steps test would be tougher. They should have learned from the mistakes of the past."
This may be why Hummerston's view of Telstra is particularly harsh.
"My personal view is that [Telstra's breach] was a systematic failure. The system failed several times, leading to illegal. That was because they were slack about it, they were lax about it, they didn't look at their systems, they didn't have the privacy concerns in place.
"To my personal annoyance, [Telstra security operations expert Scott McIntyre] described it as one little 'oops'. We have a fundamental difference of opinion. We say that Telstra's systems failed from the outset, and continued to fail over a period of time. There were at least four occasions when it could have been identified and should have been reported up and could have been fixed."
Despite not holding back his disappointment at Telstra, Hummerston also credited the telco for its privacy stance moving forward.
"At CEO level, there's, and, to their credit, in relation to our investigation and , Telstra has given us undertakings about remediating their system and providing us with progress reports on that remediation."
For the Telstra customers who are affected, however, Hummerston said that the damage has been done.
"I've seen very sad outcomes in privacy breaches where — I'm not over-dramatising — people's lives have been affected absolutely and cannot be restored to what they were before the privacy breach, all because someone, along the line, someone was lax about their responsibilities in managing this information."