Data breach laws years away

Data breach laws years away

Summary: The Australian Law Reform Commission yesterday released a report recommending Australia introduce data breach disclosure laws — but Senator John Faulkner said that bridge would not be crossed by government at least for the next 18 months.

SHARE:

The Australian Law Reform Commission yesterday released a report recommending Australia introduce data breach disclosure laws — but Senator John Faulkner said that bridge would not be crossed by government at least for the next 18 months.

John-Faulkner

Labor Senator John Faulkner
(Credit: ALP)

Senator John Faulkner at yesterday's press briefing held at the ALRC's offices said the government would not consider legislating mandatory data breach notification laws until it had completed reviewing more important changes over the next 18 months.

Due to the complexity of the task ahead, the government intended on breaking its response to the three-volume report, consisting of 295 recommendations, into two stages.

"The government will be able to legislate on the first stage in the next 12 to 18 months," Faulkner told journalists.

The first stage of recommendations the government will wade through are so-called Unified Privacy Principles, which aim to consolidate concurrent privacy principles that apply differently to the public and private sectors. It will also deal with health-related privacy issues.

"The second stage of the response will consider the remaining recommendations, including those relating to exemptions [from the Privacy Act] and data breach notifications," said Faulkner.

If the proposed mandatory data breach disclosure laws are legislated as recommended by the ALRC, it would mean that any organisation that suffered a data breach, which resulted in the exposure of personally identifiable information, would need to report the breach to the affected individual and the Office of the Privacy Commissioner.

However, for that to occur, the breach must also likely result in actual harm to a person — a decision that the ALRC has recommended be made by the organisation that experienced the breach.

"The initial determination [of whether there is a risk of harm to an individual] will be done by the agency or the organisation," said Professor Les McCrimmon, commissioner in charge of the Privacy Inquiry.

There was, however, a check for organisations that avoid disclosing a breach to affected customers, said McCrimmon.

"If you get a situation where there hasn't been notification, and it does become public, then I'm sure the Privacy Commissioner and others are going to be looking at this and asking why you didn't notify," he said.

The "harm" threshold the ALRC has recommended is a critical difference to California's data breach disclosure laws which do not contain a similar limitation.

McCrimmon said the ALRC had not recommended notifications be made to the general public because a company could still be hacked despite its best efforts to secure its systems.

"At a talk that was given by the head of security for Microsoft, she said there is no system in the world that has been built that can't be hacked into. It may be a one off situation that doesn't indicate the organisation is treating information willy-nilly," he said.

Laws won't require huge investments in security

Fears exist that data breach disclosure laws would result in businesses facing huge reporting costs and a burden to invest more heavily in security. But Gartner security, privacy and risk analyst Andrew Walls said most businesses will escape the need to invest new security technology.

"They shouldn't require a large investment in technology to comply with what they're recommending at this point. All that is being recommended is that your systems are being monitored and that you can identify breaches and records of those affected by breaches," Walls told ZDNet.com.au.

"Every financial services organisation does this as a part of the normal course of business. That is, monitor and know what's occurring on their systems," he added.

However, retailers may face a different plight, according to Walls.

"Retailers are well monitored in terms of their back-end systems. The front-end systems however, which have been involved in huge debacles like TJX, still have issues there, but that's more about insufficient practices than insufficient technologies," he said.

Walls said the most likely source of data breaches would be caused by insiders to an organisation.

"It will be the result of either a mistake or done out of curiosity [by an employee]," he said.

Although mass breaches will likely be the result of lost laptops rather than malicious attacks, he added. However, most Australian organisations, similar to counterparts in Europe and the US, fail to apply file or whole disk encryption to laptops, despite the wide availability of free encryption technologies.

Walls also said an instance where people may expect to be notified of a breach but won't be is if their online bank account has been hacked via the use of keyloggers or a trojan.

"If your bank knows that someone has written a worm to go after clients of that bank and it knows a certain number of customers have been affected, does the bank have an expectation of disclosure? Well, no, they haven't been breached — the customer has been breached."

Topics: Security, Hardware, Privacy, Storage

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion