Regulations that will force Australian organisations to disclose whenever customers' data has been stolen may be one step closer, following the disastrous hacking of Sony's PlayStation Network (PSN).
In a statement issued yesterday, Justice, Home Affairs and Minister for Privacy and Freedom of Information Minister Brendan O'Connor said that such a system "appears necessary" in the face of privacy breaches "such as those we've unfortunately seen recently".
The Australian security industry has been debating the need for such a system for some time. Under current law, many security breaches are kept quiet, despite potentially damaging consequences for those who have had their information stolen. The PlayStation case, which resulted in extensive downtime for the online gaming network following a virtual break-in and the theft of customer information, could affect up to 1.5 million Australians.
At the heart of the changing legislative path is the Federal Government's pending response to the Australian Law Reform Commission's review of Australian privacy law. Dubbed "For Your Information — Australian Privacy Law and Practice", the report was released in August 2008 and contained a strong recommendation that Australia introduce data breach disclosure laws.
However, at the time, Special Minister of State, Senator John Faulkner, told journalists that it is likely to be at least 18 months before the government will consider legislating for mandatory data breach laws. This week, O'Connor wouldn't give a firm commitment as to when the government would respond to the mandatory data breach recommendation in the ALRC report.
"The government will consider its response to the remaining 98 recommendations of the ALRC review into privacy, including a proposal to require companies to inform customers of a data breach," he said. However, the Minister noted that he is "very concerned" about the alleged theft of personal data belonging to customers who have PlayStation Network accounts.
"I've raised the issue with the Privacy Commissioner," he said. "The Privacy Commissioner has the power to investigate potential breaches of privacy, and may do so in response to a complaint or of his own volition. I understand the Privacy Commissioner has made enquiries with Sony, and will be opening an 'own motion' investigation. I don't want to interfere with that, but it is very disappointing to me that it took Sony several days to inform its customers about the breach."
In addition, the minister said, Sony isn't alone in its problems.
"We've seen serious privacy-related incidents in recent months involving other large companies. All companies that collect customers' personal information must ensure that the information is safe and secure from misuse," he said.