What's a fair punishment for data breaches?

Powered by SC Magazine
 
Page 1 of 2 | Single page

Stakeholders ponder penalties and mandatory notification laws.

Australia’s light touch to breaches of the Privacy Act may not be enough to protect consumers and punish the companies that put their personal information at risk, experts say.

Government investigations into data breaches rose 27 percent last year but in the absence of mandatory notification laws in Australia, the worst breaches go unreported.

In the past year, the Office of the Privacy Commissioner investigated alleged breaches of the Privacy Act by Telstra, Google and Vodafone.

The latter two were found guilty. In response, both submitted undertakings to improve their practices and agreed to consult with the Commissioner on their progress.

Bruce Arnold of the University of Canberra’s Faculty of Law said organisations that inadvertently exposed customer data despite following best practices should not be punished – especially where no serious harm occurred.

But other organisations were “negligent” and should be punished in a way that grabbed the attention of corporate executives, insurers and shareholders, he said.

Remember to sign up to our Security bulletin for the definitive summary and analysis of Infosec threats.

“They don’t train their staff properly. They don’t supervise their staff properly. They don’t have adequate firewalls,” he suggested.

“They don’t restrict use of USBs or other media that allow data to walk out of the building. They don’t verify the bona fides of contractors or other parties. They don’t purge hard drives that are sold or sent for scrap.

“They don’t encrypt laptops and portable hard drives and disks and tapes and other data carriers, even though those carriers may contain sensitive information about hundreds or hundreds of thousands of people.

“As a result data breaches continue to occur.”

Last April, the British Government raised the fine for a “serious data breach” from £5000 ($7870) to £500,000 ($787,000).

In Australia, the Privacy Commissioner typically investigates complaints from individuals and could require organisations to apologise, change its practices and compensate complainants for loss or damage.

The Commissioner can also launch ‘own motion investigations’ into large-scale data breaches, but cannot impose any penalties on parties involved.

Meanwhile, the Attorney-General’s Department has the authority to investigate and penalise companies for data breaches but local security experts said the power was rarely enforced.

Arnold said that although most penalties “sound impressive”, they were “trivial” on a per-person basis.

He suggested the imposition of operational restrictions on trusted organisations that suffered recurrent breaches.

“If you cannot be trusted to safeguard customer information, can you be trusted to manage their money?” he asked. “Perhaps your licence to operate should be in question.

“If a food company kept on having food contamination problems it would stop operating. Why is a data custodian any different?

“A one million pound penalty isn’t significant if the loss involves records of 10 million customers and if the corporation spends more than that each year on treats for its executives,” he said.

But for organisations, data breaches cost far more to rectify than a government-imposed fine.

According to the Ponemon Institute, breaches cost Australian organisations an average of $128 a compromised record in 2010, due to the costs of forensics, customer churn, auditing, legal services and reputational damage (pdf).

British and US organisations respectively paid an average of £71 and $US214 to rectify breaches that year.

Microsoft Australia’s government affairs manager Sassoon Grigorian argued for a “fair, reasonable” data breach notification system that recognised different levels of severity and harm.

“One should not ignore that reputation costs and legal exposure can accrue even where an organisation has taken all reasonable steps to guard against information security breaches,” he wrote in a blog post this month.

“Consider, for example, the situation where an information security breach involving the disclosure of sensitive financial information occurs due to an employee’s failure to follow an organisation’s procedures for handling personal information. 

“The organisation may nonetheless be liable.  By notifying affected individuals of an information security breach of this kind, it is inevitable that at least some of those individuals will pursue their legal remedies for the unauthorised disclosure of their personal information.”

Mandatory notification

In 2008, the Australian Law Reform Commission (ALRC) called for the introduction of mandatory data breach notification laws and additional Privacy Commissioner powers.

Under the Australian Law Reform Commission proposal, agencies and organisations would be required to notify customers if a security breach led to the disclosure of their personal information.

Parliament has yet to address those recommendations, although a spokesman for Privacy Minister Brendan O’Connor said it could bring forward its consideration of the proposal “if there is evidence that the problem is growing”.

“Companies are … expected to promptly notify their customers and the Privacy Commissioner where a privacy breach has occurred,” she said.

“The Government is working through the ALRC’s extensive recommendations methodically and in consultation with stakeholders.

“If there is evidence that the problem is growing, and companies are not looking after their customers’ information appropriately, the Government will consider bringing forward consideration of the ALRC recommendation.”

Read on to page two for benefits and risks of mandatory notification laws.

Copyright © iTnews.com.au . All rights reserved.


What's a fair punishment for data breaches?
 
 
 
Top Stories
Westpac hires SAP man as CTO
Creates four new IT lead positions.
 
Qld Transport to replace core registration system
State's biggest citizen info repository set for overhaul.
 
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
More 4G from Optus in Darwin
Nov 21, 2014
Click to see where Optus has expanded coverage to the suburbs near Darwin.
Optus steps up regional 4G coverage
Nov 20, 2014
Once 700Mhz services are working, Optus claims regional users will have a "faster and more ...
This Huawei 4G phone costs $99
Nov 12, 2014
The $99 Huawei Ascend Y550, available through Vodafone, enters the budget market as one of the ...
4G smartphones: Microsoft's Lumia 830
Nov 7, 2014
Microsoft has announced its flagship Windows Phone, the Nokia Lumia 830 4G, will be available in ...
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  21%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 948

Vote