Local industry keen to mirror UK’s data breach fines

Australia should follow Britain's lead in heavily fining organisations for serious data losses, according to security industry figures discussing the development with iTnews.

The recommendation followed the recent introduction of British legislation that would raise the fine for a serious data breach from £5,000 (AUD$8190) to £500,000 (AUD$819 000) from 6 April.

"The UK has shown a strong lead in allowing the Information Commissioner's Office to levy hefty fines under the Data Protection Act (DPA)," said Amichai Shulman, CTO of security vendor Imperva.

"Clearly it would benefit the rest of the world to follow this lead," he said.

British legislation imposed penalties for data breaches if a data controller was found to seriously contravene data protection principles in a way that would likely cause substantial damage.

But because the legislation was worded in a way that required the controller to know that contravention may occur, Shulman said the legislation relied on organisations being honest upon discovery of a breach.

Australia has been reviewing its privacy laws in recent years and is expected to introduce some form of mandatory disclosure regulations.

According to Australian Privacy Commissioner Karen Curtis, the Government has "agreed in principle" with Australian Law Reform Commission (ALRC) recommendations that organisations be penalised for serious privacy breaches.

The ALRC recommended that the Privacy Commissioner be given the power to seek a civil penalty in a Court for a serious or repeated breach of privacy, and that reporting of serious data breaches be mandatory.

"The Government, in its first stage response to the ALRC report, has already agreed in principle to the application of civil penalties for serious privacy breaches where other compliance orientated enforcement methods are not sufficient," Curtis told iTnews.

"The Government is still considering the issue of data breach notification."

But although the Attorney-General's department currently has the authority to investigate and penalise companies for data breaches, this power was rarely enforced, local security expert Chris Gatford told iTnews.

"There's no policy that enforces data loss disclosure," said Gatford, the director of Australian penetration testing company HackLabs.

"We've got to have something [to promote data protection] in Australia; the sooner Australia has regulations about data loss, the sooner society as a whole will potentially be better secured."

Gatford recommended "bad press and hefty fines" to keep organisations wary of data loss, which ultimately would fall to IT security and risk management teams to prevent.

Meanwhile, Imperva's Shulman warned that legislation should focus on keeping data secure, rather than disclosure, lest organisations focus on protecting themselves instead of their data.

"Penalties may be necessary, but governments should try to be constructive and focus regulations on the protection side rather than on the disclosure side," he said.

The Office of the Privacy Commissioner has received 24 data breach notifications this financial year. Curtis said each notification was taken seriously, and her office often worked with the organisations involved to minimise damage and limit the possibilities of future breaches.

"My Office believes that constructive engagement with businesses and government agencies to learn lessons and build strong and robust systems and practices is the primary means of ensuring good privacy outcomes," she told iTnews.