What's a fair punishment for data breaches?

Powered by SC Magazine
Page 1 of 2 | Single page

Stakeholders ponder penalties and mandatory notification laws.

Australia’s light touch to breaches of the Privacy Act may not be enough to protect consumers and punish the companies that put their personal information at risk, experts say.

Government investigations into data breaches rose 27 percent last year but in the absence of mandatory notification laws in Australia, the worst breaches go unreported.

In the past year, the Office of the Privacy Commissioner investigated alleged breaches of the Privacy Act by Telstra, Google and Vodafone.

The latter two were found guilty. In response, both submitted undertakings to improve their practices and agreed to consult with the Commissioner on their progress.

Bruce Arnold of the University of Canberra’s Faculty of Law said organisations that inadvertently exposed customer data despite following best practices should not be punished – especially where no serious harm occurred.

But other organisations were “negligent” and should be punished in a way that grabbed the attention of corporate executives, insurers and shareholders, he said.

Remember to sign up to our Security bulletin for the definitive summary and analysis of Infosec threats.

“They don’t train their staff properly. They don’t supervise their staff properly. They don’t have adequate firewalls,” he suggested.

“They don’t restrict use of USBs or other media that allow data to walk out of the building. They don’t verify the bona fides of contractors or other parties. They don’t purge hard drives that are sold or sent for scrap.

“They don’t encrypt laptops and portable hard drives and disks and tapes and other data carriers, even though those carriers may contain sensitive information about hundreds or hundreds of thousands of people.

“As a result data breaches continue to occur.”

Last April, the British Government raised the fine for a “serious data breach” from £5000 ($7870) to £500,000 ($787,000).

In Australia, the Privacy Commissioner typically investigates complaints from individuals and could require organisations to apologise, change its practices and compensate complainants for loss or damage.

The Commissioner can also launch ‘own motion investigations’ into large-scale data breaches, but cannot impose any penalties on parties involved.

Meanwhile, the Attorney-General’s Department has the authority to investigate and penalise companies for data breaches but local security experts said the power was rarely enforced.

Arnold said that although most penalties “sound impressive”, they were “trivial” on a per-person basis.

He suggested the imposition of operational restrictions on trusted organisations that suffered recurrent breaches.

“If you cannot be trusted to safeguard customer information, can you be trusted to manage their money?” he asked. “Perhaps your licence to operate should be in question.

“If a food company kept on having food contamination problems it would stop operating. Why is a data custodian any different?

“A one million pound penalty isn’t significant if the loss involves records of 10 million customers and if the corporation spends more than that each year on treats for its executives,” he said.

But for organisations, data breaches cost far more to rectify than a government-imposed fine.

According to the Ponemon Institute, breaches cost Australian organisations an average of $128 a compromised record in 2010, due to the costs of forensics, customer churn, auditing, legal services and reputational damage (pdf).

British and US organisations respectively paid an average of £71 and $US214 to rectify breaches that year.

Microsoft Australia’s government affairs manager Sassoon Grigorian argued for a “fair, reasonable” data breach notification system that recognised different levels of severity and harm.

“One should not ignore that reputation costs and legal exposure can accrue even where an organisation has taken all reasonable steps to guard against information security breaches,” he wrote in a blog post this month.

“Consider, for example, the situation where an information security breach involving the disclosure of sensitive financial information occurs due to an employee’s failure to follow an organisation’s procedures for handling personal information. 

“The organisation may nonetheless be liable.  By notifying affected individuals of an information security breach of this kind, it is inevitable that at least some of those individuals will pursue their legal remedies for the unauthorised disclosure of their personal information.”

Mandatory notification

In 2008, the Australian Law Reform Commission (ALRC) called for the introduction of mandatory data breach notification laws and additional Privacy Commissioner powers.

Under the Australian Law Reform Commission proposal, agencies and organisations would be required to notify customers if a security breach led to the disclosure of their personal information.

Parliament has yet to address those recommendations, although a spokesman for Privacy Minister Brendan O’Connor said it could bring forward its consideration of the proposal “if there is evidence that the problem is growing”.

“Companies are … expected to promptly notify their customers and the Privacy Commissioner where a privacy breach has occurred,” she said.

“The Government is working through the ALRC’s extensive recommendations methodically and in consultation with stakeholders.

“If there is evidence that the problem is growing, and companies are not looking after their customers’ information appropriately, the Government will consider bringing forward consideration of the ALRC recommendation.”

Read on to page two for benefits and risks of mandatory notification laws.

Copyright © iTnews.com.au . All rights reserved.

What's a fair punishment for data breaches?
Top Stories
Toll Group to go Google
Poaches Woolworths project manager.
How News Corp's CIO tackled skills in his race to the cloud
What to do when your team’s talents are no longer needed.
Photos: How Thodey transformed Telstra
From turbulent Trujillo to Australia's leading telco.
Sign up to receive iTnews email bulletins
Latest articles on BIT Latest Articles from BIT
Microsoft is offering Azure for Disaster Recovery to Australian SMBs
Feb 10, 2015
If you haven't talked to your IT provider about disaster recovery, it might be worth discussing ...
The 2015 Xero Roadshow is on: here are the locations and dates
Feb 6, 2015
The 2015 Xero Roadshow kicked off this week - see where you can attend at locations around ...
Microsoft Outlook is now on iPhone and iPad: why could this be useful?
Jan 30, 2015
Microsoft today released Office for Android and Outlook for iOS - complementing the other Office ...
Franchisees, here's something you should know about
Jan 23, 2015
You need to know the Code if you are a franchisee or franchisor as the penalties are significant.
Xero users rejoice! Quoting has finally arrived
Jan 23, 2015
It has taken years, but Xero has at last added integrated quoting to its online accounting software.
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.