What's a fair punishment for data breaches?

Stakeholders ponder penalties and mandatory notification laws.

Australia’s light touch to breaches of the Privacy Act may not be enough to protect consumers and punish the companies that put their personal information at risk, experts say.

Government investigations into data breaches rose 27 percent last year but in the absence of mandatory notification laws in Australia, the worst breaches go unreported.

In the past year, the Office of the Privacy Commissioner investigated alleged breaches of the Privacy Act by Telstra, Google and Vodafone.

The latter two were found guilty. In response, both submitted undertakings to improve their practices and agreed to consult with the Commissioner on their progress.

Bruce Arnold of the University of Canberra’s Faculty of Law said organisations that inadvertently exposed customer data despite following best practices should not be punished – especially where no serious harm occurred.

But other organisations were “negligent” and should be punished in a way that grabbed the attention of corporate executives, insurers and shareholders, he said.

“They don’t train their staff properly. They don’t supervise their staff properly. They don’t have adequate firewalls,” he suggested.

“They don’t restrict use of USBs or other media that allow data to walk out of the building. They don’t verify the bona fides of contractors or other parties. They don’t purge hard drives that are sold or sent for scrap.

“They don’t encrypt laptops and portable hard drives and disks and tapes and other data carriers, even though those carriers may contain sensitive information about hundreds or hundreds of thousands of people.

“As a result data breaches continue to occur.”

Last April, the British Government raised the fine for a “serious data breach” from £5000 ($7870) to £500,000 ($787,000).

In Australia, the Privacy Commissioner typically investigates complaints from individuals and could require organisations to apologise, change its practices and compensate complainants for loss or damage.

The Commissioner can also launch ‘own motion investigations’ into large-scale data breaches, but cannot impose any penalties on parties involved.

Meanwhile, the Attorney-General’s Department has the authority to investigate and penalise companies for data breaches but local security experts said the power was rarely enforced.

Arnold said that although most penalties “sound impressive”, they were “trivial” on a per-person basis.

He suggested the imposition of operational restrictions on trusted organisations that suffered recurrent breaches.

“If you cannot be trusted to safeguard customer information, can you be trusted to manage their money?” he asked. “Perhaps your licence to operate should be in question.

“If a food company kept on having food contamination problems it would stop operating. Why is a data custodian any different?

“A one million pound penalty isn’t significant if the loss involves records of 10 million customers and if the corporation spends more than that each year on treats for its executives,” he said.

But for organisations, data breaches cost far more to rectify than a government-imposed fine.

According to the Ponemon Institute, breaches cost Australian organisations an average of $128 a compromised record in 2010, due to the costs of forensics, customer churn, auditing, legal services and reputational damage (pdf).

British and US organisations respectively paid an average of £71 and $US214 to rectify breaches that year.

Microsoft Australia’s government affairs manager Sassoon Grigorian argued for a “fair, reasonable” data breach notification system that recognised different levels of severity and harm.

“One should not ignore that reputation costs and legal exposure can accrue even where an organisation has taken all reasonable steps to guard against information security breaches,” he wrote in a blog post this month.

“Consider, for example, the situation where an information security breach involving the disclosure of sensitive financial information occurs due to an employee’s failure to follow an organisation’s procedures for handling personal information. 

“The organisation may nonetheless be liable.  By notifying affected individuals of an information security breach of this kind, it is inevitable that at least some of those individuals will pursue their legal remedies for the unauthorised disclosure of their personal information.”

Mandatory notification

In 2008, the Australian Law Reform Commission (ALRC) called for the introduction of mandatory data breach notification laws and additional Privacy Commissioner powers.

Under the Australian Law Reform Commission proposal, agencies and organisations would be required to notify customers if a security breach led to the disclosure of their personal information.

Parliament has yet to address those recommendations, although a spokesman for Privacy Minister Brendan O’Connor said it could bring forward its consideration of the proposal “if there is evidence that the problem is growing”.

“Companies are … expected to promptly notify their customers and the Privacy Commissioner where a privacy breach has occurred,” she said.

“The Government is working through the ALRC’s extensive recommendations methodically and in consultation with stakeholders.

“If there is evidence that the problem is growing, and companies are not looking after their customers’ information appropriately, the Government will consider bringing forward consideration of the ALRC recommendation.”

Read on to page two for benefits and risks of mandatory notification laws.