It's nearly ten years since the world's first mandatory data breach notification law, California State Bill SB 1386, came into effect. Since July 1, 2003, if any government agency, person, or company that does business in California suffers a security breach, they have to notify residents "whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorised person".
Most of the other US states and the federal government have enacted similar laws, as has the European Union. And as data breach after data breach has been reported, the general public has slowly started to become aware of the IT industry's dirty little secret: We're really quite bad at protecting people's personal information from hackers, from leaving it lying around on web servers or on laptops left in the back of taxis.
The Australian Law Reform Commission recommended back in 2008 that we should have similar laws in this country, but progress has been slow — at least until the Attorney-General's Department released a discussion paper in October last year. And now, finally, we have some draft legislation.
Well, some of us do.
Yesterday, SC Magazine reported on the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 that has been shared with a small number of key stakeholders. The report described some of the bill's provisions without exposing the exposure draft itself.
At first glance, the reported penalties sound well worth avoiding. Fines of up to AU$340,000 for individuals and AU$1.7 million for organisations in serious or repeat cases of failing to protect personal data, or AU$34,000 for individuals and AU$170,000 for organisations in smaller cases.
However ZDNet understands that the law, at least as currently drafted, only applies to organisations that fall within the scope of the Privacy Act. That excludes businesses with a turnover of less than AU$3 million a year (unless they handle medical records), political parties, charities, and national security and law enforcement agencies.
Mandatory notification isn't triggered unless the exposure of the data results in "real risk of serious harm" — not merely potential risks, or a real risk of harm that isn't "serious". And the harm must be one of harm to reputation, economic harm, or financial harm.
It seems obvious to me that in some circumstances, the exposure of personal data could result in considerable inconvenience, or even the risk of psychological or even physical harm. Think of someone's sexual health records becoming public, or a victim of domestic violence's new home address becoming known to their oppressor.
And finally, it seems that the stiff penalties "would only be applicable where there has been a serious or repeated non-compliance with mandatory notification requirements".
So as it stands, it'll be mandatory notification of data breaches, sure — unless you're too small or have some other excuse, or if you can wave away the risks as uncertain, or if you reckon the harm wasn't all that serious, or if you just don't feel like it this time and are willing to wear the cost of the fine. It's a fairly fuzzy kind of mandatory.
Let's call it Mandatory Lite.
But does any of this actually matter? Data breaches happen when security fails, and security continues to be ... poor.
According to Verizon's latest Data Breach Investigations Report (DBIR) released last month, 78 percent of the intrusions that lead to data breaches are rated as "low difficulty". Around 70 percent of breaches are discovered by external parties, who then notify the victim. Roughly half of those external parties are unrelated to the victim.
"The majority of breaches take months or more to discover ... We've lost any sign of forward progress, and are back to where we were when we started this study," says the report.
During Privacy Awareness Week this week, the Office of the Australian Information Commissioner (OAIC) released its Guide to information security (PDF), discussing what might constitute taking "reasonable steps" to protect private data.
This guide is aimed at helping entities meet their Privacy Act obligations by:
Outlining the circumstances that can affect the assessment of what steps are reasonable to take
Providing examples of steps and strategies which may be reasonable for an entity to take.
The guide will give organisations that handle personal data plenty to think about, but it's just a guide. It falls short of specifying minimum standards, and it isn't binding anyway.
Are an organisation's current security measures "reasonable", given its specific circumstances? That's just another layer of fuzziness, really.
It's something they will likely determine that they needn't spend any time or money on for now. They'll only think about worrying about it after the breach.