Privacy Commissioner to look favourably on voluntary breach notifications

Powered by SC Magazine
 

Fast track into the OAIC's good books.

Privacy Commissioner Timothy Pilgrim has promised members of the business community who proactively notify his office about a data breach are more likely to receive a favourable reception than those who don't.

"Notification of a privacy breach may not stop us from commencing an investigation if we feel it is necessary and appropriate in the circumstances," Pilgrim told attendees at this morning's Privacy Awareness Week launch.

"But the early notification of a data breach will be taken into account when considering whether additional regulatory action is necessary."

Such was the case in 2011, when the ANZ bank came to realise a security hole gave unauthorised users the ability to access customer statements, despite the user having logged out of their account on a specific computer.

The backlash from the public was quick, the Privacy Commissioner said, but was softened by the fact that ANZ had wasted no time getting on the phone to Pilgrim himself.

"ANZ contacted me personally one evening and outlined what had happened, the steps they were taking to deal with it, and to identify what happened," he told iTnews.

"When the news broke in the media some 24 hours later, I was able to say I was across the incident."

By keeping the OAIC in the loop, the ANZ also avoided a formal investigation by the regulator.

"But if an organisation doesn't tell us about a breach and we find out about it through the media, we will have to start an investigation because we don't have the background information that we need," Pilgrim said.

While the rate of voluntary notifications coming into his office is on the increase, the Commissioner said he suspected "we receive only a small fraction of those that actually take place".

Pilgrim said the OAIC would not "jump straight into" using its new powers, which allow it to fine business entities and agencies up to $1.7 million if they are found to have unlawfully disclosed personal information of customers.

"We see the next 12 months as a period of consolidation, for all of us to bed down the reforms," he said.

The Office would be more likely to err on the side of written enforceable undertakings in any case that action is warranted against an entity, he said.

"If an organisation pledges to us that they are going to introduce a new security system by a certain time and they haven't done that in a way that we have agreed, we will be able to take them to court," Pilgrim said.

Copyright © iTnews.com.au . All rights reserved.


Privacy Commissioner to look favourably on voluntary breach notifications
Privacy Commissioner Timothy Pilgrim
 
 
 
Top Stories
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
What InfoSec can learn from the insurance industry
[Blog post] Another way data breach laws could help manage risk.
 
A ten-point plan for disrupting security
[Blog post] How can you defend the perimeter when it’s in the cloud?
 
 
Privacy Commissioner Timothy Pilgrim
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1041

Vote