Organisations that expose private information about customers will be legally bound to disclose the breach to the public under new amendments to the Privacy Act being considered by the Australian Law Reform Commission.
Gartner security analyst Andrew Walls said that data disclosure laws have a "99.99 percent chance of getting up" when the commission delivers a report to the federal Attorney General early next year.
"I think it's inevitable," Walls said. "It's a logical next step from the Privacy Act of 1988. I see it as a very positive move."
There are no laws currently in Australia that obligate an organisation to inform customers, government agencies or the wider public about breaches in data security.
Data disclosure laws were introduced in California (The California Law on Notice of Security Breach) in 2002, and have since rolled through to 40 different states across the USA.
Walls said that Australia is well positioned to "set the ball rolling" on its own disclosure laws. "The only issue is in the details. What constitutes a privacy breach? What constitutes a disclosure? That's what parliament is there to sort out."
The Office of the Privacy Commissioner has made its position issue clear in a submission to the Law Reform Commission in March 2007.
"The Office suggests that the Privacy Act be amended to add provisions requiring agencies and organisations to advise affected individuals of a breach to their personal information," said the submission.
"This would provide a strong market incentive to organisations to adequately secure databases to increase consumer trust and avoid potential brand damage and negative publicity."
Walls agreed that such laws will improve the quality of corporate security and the protection of a customer's private details.
"Security will no longer be a backroom operation," he said. "Its success or failure will have a real impact on the ability to attract and retain customers."
But coping with the obligations will be a "painful transition" for those organisations with lax attention to IT security," he said.
"The sheer cost of managing the reporting requirement, having the internal mechanisms to track a breach, to quantify it, to identify the affected customers is no short order -- let alone the PR effort it takes to manage disclosure."
"The only reason a company will suffer from reputational damage is if they are doing a poor job on their security," he said. "I do think it will sharpen them."
Walls likens the change to the introduction of compulsory product recalls, which gave consumers an insight to how brands performed as manufacturers, resulting in better product development.
"Data disclosure laws will inform the market about an organisation's level of competence in managing security," he said.
"As a consumer it's in your best interest to know as much as you can about the competence of a company. If company X had 10 major security breaches, and company Y had two, you know who you are more likely to trust."
"You deserve to have your own evaluation as these companies are managing your information on your behalf."