Democrats Senator Natasha Stott Despoja will introduce to Federal Parliament this Thursday a proposed amendment to the Federal Privacy Act that introduces data disclosure laws to Australia.
This afternoon Stott Despoja gave notice of her intention to introduce The Privacy (Data Security Breach Notification) Amendment Bill 2007, which would obligate a corporation or government agency to inform individuals affected by any release of personal and financial data to unauthorised parties.
Stott Despoja said that the current privacy legislation (Privacy Act 1988) is deficient as there is no legal requirement forcing the public notification of data breaches by corporations and government agencies.
The Private Senator's Bill uses principles from the original Privacy Act to define what constitutes private information, and further defines a data breach to include "any authorised acquisition, transmission use or disclosure of personal information involving an unauthorised party".
Unauthorised parties includes those not employed by the organisation responsible for keeping the data private, and any employee of an organisation that either exceeds their authority to access the information or uses the information for purposes unrelated to their professional duties.
Notifications to affected individuals are to be made "promptly and without any unnecessary delay" and without any cost to the affected individual.
The notification will need to be in writing, and will need to include copies of the precise data that was disclosed, identification of any known recipients of the leaked data, information about what attempts were made to recover the leaked data and information about measures taken to ensure it doesn't happen again.
In her proposed speech to introduce the bill, Stott Despoja will make reference to a report by the IT Policy Compliance Group which found that over two-thirds of Australian organisations experience six losses of sensitive data each year.
"The report states that one in five organisations loses sensitive data 22 or more times a year," she is expected to state. "These breaches reportedly include customer, financial, corporate employee and IT security data which is stolen, leaked or inappropriately destroyed."
She will also reference an Australian Computer Crime and Security Survey which shows that the average annual losses from electronic attacks rose 63 percent in the 12 months to May 2006, to reach AU$241,150 per organisation.
High profile data breaches such as those suffered by the Australian Defence Force and broadcaster Channel Ten will also be used as examples of where the current Act fails to protect the privacy of individuals.
"In order to give individuals more control over their personal information and to satisfy public expectations, parliament must legislate to require Commonwealth agencies and organisations to tell individuals when their personal information has been compromised," Despoja said in a press statement today.
"I hope my colleagues will support this straightforward amendment to the Privacy Act."
Thumbs up from industry
Gartner analyst Andrew Walls said data disclosure laws are essential to empower consumers with the knowledge to make better decisions, and to sharpen up corporate defences against security attacks.
"Without disclosure of breaches the consumer is kept in the dark and is not able to make intelligent choices about who to trust with their private data," Walls said at the Gartner IT Security Summit in Sydney today.
"We also have a situation where business leaders do not actually believe that data loss is a problem. They do not understand that security is an issue for their firm because we do not see information about data losses hitting the press or getting out in public.
"It's very important that we establish quality of security practice through breach disclosure as a way of bringing market forces to bear on the improvement of security and the assurance of privacy for Australian citizens."
Walls' US counterpart Rich Mogull said while preparing for today's speech (at the Summit), he found "a fraction" of the amount of information about data breaches in Australia compared to what is reported in those regions of the world that have disclosure laws.
But breaches, he said, definitely are occurring here.
"We know what kind of security programs Australian companies have," he said. "There is no way they are materially better at this than the US. Even if they were a little better, they are still going to have breaches."
Without data disclosure laws, Mogull said, there is no market force in Australia pushing organisations to do their security better.
"We in the security industry don't have the information we need to make informed decisions about how to best protect ourselves," he said. "We don't know how the breaches are occurring. The system is broken. The only way to fix that is to start with disclosure laws. At least then you can scope the problem."
The California example
Globally, data disclosure laws were first introduced in the US state of California in 2002, and have since gradually rolled out to 40 other states.
These have resulted in hundreds of organisations coming clean on privacy and security breaches. And according to Mogull, has compelled most US organisations to clean up their act on security.
In order for data disclosure laws to be effective, Mogull said, they need to be enforceable not just from a government agency but also by the actions of affected individuals and businesses. Government regulators alone, he said, may be too cumbersome to cope with the issue.
"If Australia builds in a mechanism whereby the consumers can take action themselves, that may be a good market forces approach," he said.