What's a fair punishment for data breaches?

Powered by SC Magazine
Page 1 of 2 | Single page

Stakeholders ponder penalties and mandatory notification laws.

Australia’s light touch to breaches of the Privacy Act may not be enough to protect consumers and punish the companies that put their personal information at risk, experts say.

Government investigations into data breaches rose 27 percent last year but in the absence of mandatory notification laws in Australia, the worst breaches go unreported.

In the past year, the Office of the Privacy Commissioner investigated alleged breaches of the Privacy Act by Telstra, Google and Vodafone.

The latter two were found guilty. In response, both submitted undertakings to improve their practices and agreed to consult with the Commissioner on their progress.

Bruce Arnold of the University of Canberra’s Faculty of Law said organisations that inadvertently exposed customer data despite following best practices should not be punished – especially where no serious harm occurred.

But other organisations were “negligent” and should be punished in a way that grabbed the attention of corporate executives, insurers and shareholders, he said.

Remember to sign up to our Security bulletin for the definitive summary and analysis of Infosec threats.

“They don’t train their staff properly. They don’t supervise their staff properly. They don’t have adequate firewalls,” he suggested.

“They don’t restrict use of USBs or other media that allow data to walk out of the building. They don’t verify the bona fides of contractors or other parties. They don’t purge hard drives that are sold or sent for scrap.

“They don’t encrypt laptops and portable hard drives and disks and tapes and other data carriers, even though those carriers may contain sensitive information about hundreds or hundreds of thousands of people.

“As a result data breaches continue to occur.”

Last April, the British Government raised the fine for a “serious data breach” from £5000 ($7870) to £500,000 ($787,000).

In Australia, the Privacy Commissioner typically investigates complaints from individuals and could require organisations to apologise, change its practices and compensate complainants for loss or damage.

The Commissioner can also launch ‘own motion investigations’ into large-scale data breaches, but cannot impose any penalties on parties involved.

Meanwhile, the Attorney-General’s Department has the authority to investigate and penalise companies for data breaches but local security experts said the power was rarely enforced.

Arnold said that although most penalties “sound impressive”, they were “trivial” on a per-person basis.

He suggested the imposition of operational restrictions on trusted organisations that suffered recurrent breaches.

“If you cannot be trusted to safeguard customer information, can you be trusted to manage their money?” he asked. “Perhaps your licence to operate should be in question.

“If a food company kept on having food contamination problems it would stop operating. Why is a data custodian any different?

“A one million pound penalty isn’t significant if the loss involves records of 10 million customers and if the corporation spends more than that each year on treats for its executives,” he said.

But for organisations, data breaches cost far more to rectify than a government-imposed fine.

According to the Ponemon Institute, breaches cost Australian organisations an average of $128 a compromised record in 2010, due to the costs of forensics, customer churn, auditing, legal services and reputational damage (pdf).

British and US organisations respectively paid an average of £71 and $US214 to rectify breaches that year.

Microsoft Australia’s government affairs manager Sassoon Grigorian argued for a “fair, reasonable” data breach notification system that recognised different levels of severity and harm.

“One should not ignore that reputation costs and legal exposure can accrue even where an organisation has taken all reasonable steps to guard against information security breaches,” he wrote in a blog post this month.

“Consider, for example, the situation where an information security breach involving the disclosure of sensitive financial information occurs due to an employee’s failure to follow an organisation’s procedures for handling personal information. 

“The organisation may nonetheless be liable.  By notifying affected individuals of an information security breach of this kind, it is inevitable that at least some of those individuals will pursue their legal remedies for the unauthorised disclosure of their personal information.”

Mandatory notification

In 2008, the Australian Law Reform Commission (ALRC) called for the introduction of mandatory data breach notification laws and additional Privacy Commissioner powers.

Under the Australian Law Reform Commission proposal, agencies and organisations would be required to notify customers if a security breach led to the disclosure of their personal information.

Parliament has yet to address those recommendations, although a spokesman for Privacy Minister Brendan O’Connor said it could bring forward its consideration of the proposal “if there is evidence that the problem is growing”.

“Companies are … expected to promptly notify their customers and the Privacy Commissioner where a privacy breach has occurred,” she said.

“The Government is working through the ALRC’s extensive recommendations methodically and in consultation with stakeholders.

“If there is evidence that the problem is growing, and companies are not looking after their customers’ information appropriately, the Government will consider bringing forward consideration of the ALRC recommendation.”

Read on to page two for benefits and risks of mandatory notification laws.

Copyright © iTnews.com.au . All rights reserved.

What's a fair punishment for data breaches?
Top Stories
IAG hands digital chief his own ‘Labs’ division
Enterprise ops chief squeezed out in restructure.
Sign up to receive iTnews email bulletins
Latest articles on BIT Latest Articles from BIT
The 5 Windows 10 privacy issues you should be aware of
Jul 31, 2015
There are a few unsettling details when it comes to Windows 10 privacy
Windows 10 is here! (For some)
Jul 29, 2015
Delivery of the free upgrade versions of Windows 10 began today - have you got yours yet?
Microsoft reveals Microsoft Send, a new enterprise chat app to rival Slack
Jul 27, 2015
Microsoft Send is MSN Messenger for grownups, and you could be using it at work very soon
Developers offered $500,000 grants to find HoloLens uses
Jul 8, 2015
Can augmented-reality end up in business?
Microsoft Tossup: The planning app for unorganised groups of friends
Jul 8, 2015
App allows friends to research venues, vote on plans and chat. And depending on how you run your ...
Latest Comments
Should law enforcement be able to buy and use exploits?

   |   View results
Only in special circumstances
Yes, but with more transparency