Data breach laws years away

The Australian Law Reform Commission yesterday released a report recommending Australia introduce data breach disclosure laws — but Senator John Faulkner said that bridge would not be crossed by government at least for the next 18 months.

Labor Senator John Faulkner
(Credit: ALP)

Senator John Faulkner at yesterday's press briefing held at the ALRC's offices said the government would not consider legislating mandatory data breach notification laws until it had completed reviewing more important changes over the next 18 months.

Due to the complexity of the task ahead, the government intended on breaking its response to the three-volume report, consisting of 295 recommendations, into two stages.

"The government will be able to legislate on the first stage in the next 12 to 18 months," Faulkner told journalists.

The first stage of recommendations the government will wade through are so-called Unified Privacy Principles, which aim to consolidate concurrent privacy principles that apply differently to the public and private sectors. It will also deal with health-related privacy issues.

"The second stage of the response will consider the remaining recommendations, including those relating to exemptions [from the Privacy Act] and data breach notifications," said Faulkner.

If the proposed mandatory data breach disclosure laws are legislated as recommended by the ALRC, it would mean that any organisation that suffered a data breach, which resulted in the exposure of personally identifiable information, would need to report the breach to the affected individual and the Office of the Privacy Commissioner.

However, for that to occur, the breach must also likely result in actual harm to a person — a decision that the ALRC has recommended be made by the organisation that experienced the breach.

"The initial determination [of whether there is a risk of harm to an individual] will be done by the agency or the organisation," said Professor Les McCrimmon, commissioner in charge of the Privacy Inquiry.

There was, however, a check for organisations that avoid disclosing a breach to affected customers, said McCrimmon.

"If you get a situation where there hasn't been notification, and it does become public, then I'm sure the Privacy Commissioner and others are going to be looking at this and asking why you didn't notify," he said.

The "harm" threshold the ALRC has recommended is a critical difference to California's data breach disclosure laws which do not contain a similar limitation.

McCrimmon said the ALRC had not recommended notifications be made to the general public because a company could still be hacked despite its best efforts to secure its systems.

"At a talk that was given by the head of security for Microsoft, she said there is no system in the world that has been built that can't be hacked into. It may be a one off situation that doesn't indicate the organisation is treating information willy-nilly," he said.

Fears exist that data breach disclosure laws would result in businesses facing huge reporting costs and a burden to invest more heavily in security. But Gartner security, privacy and risk analyst Andrew Walls said most businesses will escape the need to invest new security technology.

"They shouldn't require a large investment in technology to comply with what they're recommending at this point. All that is being recommended is that your systems are being monitored and that you can identify breaches and records of those affected by breaches," Walls told ZDNet.com.au.

"Every financial services organisation does this as a part of the normal course of business. That is, monitor and know what's occurring on their systems," he added.

However, retailers may face a different plight, according to Walls.

"Retailers are well monitored in terms of their back-end systems. The front-end systems however, which have been involved in huge debacles like TJX, still have issues there, but that's more about insufficient practices than insufficient technologies," he said.

Walls said the most likely source of data breaches would be caused by insiders to an organisation.

"It will be the result of either a mistake or done out of curiosity [by an employee]," he said.

Although mass breaches will likely be the result of lost laptops rather than malicious attacks, he added. However, most Australian organisations, similar to counterparts in Europe and the US, fail to apply file or whole disk encryption to laptops, despite the wide availability of free encryption technologies.

Walls also said an instance where people may expect to be notified of a breach but won't be is if their online bank account has been hacked via the use of keyloggers or a trojan.

"If your bank knows that someone has written a worm to go after clients of that bank and it knows a certain number of customers have been affected, does the bank have an expectation of disclosure? Well, no, they haven't been breached — the customer has been breached."