What's a fair punishment for data breaches?

Australia’s light touch to breaches of the Privacy Act may not be enough to protect consumers and punish the companies that put their personal information at risk, experts say.

Government investigations into data breaches rose 27 percent last year but in the absence of mandatory notification laws in Australia, the worst breaches go unreported.

In the past year, the Office of the Privacy Commissioner investigated alleged breaches of the Privacy Act by Telstra, Google and Vodafone.

The latter two were found guilty. In response, both submitted undertakings to improve their practices and agreed to consult with the Commissioner on their progress.

Bruce Arnold of the University of Canberra’s Faculty of Law said organisations that inadvertently exposed customer data despite following best practices should not be punished – especially where no serious harm occurred.

But other organisations were “negligent” and should be punished in a way that grabbed the attention of corporate executives, insurers and shareholders, he said.

“They don’t train their staff properly. They don’t supervise their staff properly. They don’t have adequate firewalls,” he suggested.

“They don’t restrict use of USBs or other media that allow data to walk out of the building. They don’t verify the bona fides of contractors or other parties. They don’t purge hard drives that are sold or sent for scrap.

“They don’t encrypt laptops and portable hard drives and disks and tapes and other data carriers, even though those carriers may contain sensitive information about hundreds or hundreds of thousands of people.

“As a result data breaches continue to occur.”

Last April, the British Government raised the fine for a “serious data breach” from £5000 ($7870) to £500,000 ($787,000).

In Australia, the Privacy Commissioner typically investigates complaints from individuals and could require organisations to apologise, change its practices and compensate complainants for loss or damage.

The Commissioner can also launch ‘own motion investigations’ into large-scale data breaches, but cannot impose any penalties on parties involved.

Meanwhile, the Attorney-General’s Department has the authority to investigate and penalise companies for data breaches but local security experts said the power was rarely enforced.

Arnold said that although most penalties “sound impressive”, they were “trivial” on a per-person basis.

He suggested the imposition of operational restrictions on trusted organisations that suffered recurrent breaches.

“If you cannot be trusted to safeguard customer information, can you be trusted to manage their money?” he asked. “Perhaps your licence to operate should be in question.

“If a food company kept on having food contamination problems it would stop operating. Why is a data custodian any different?

“A one million pound penalty isn’t significant if the loss involves records of 10 million customers and if the corporation spends more than that each year on treats for its executives,” he said.

But for organisations, data breaches cost far more to rectify than a government-imposed fine.

According to the Ponemon Institute, breaches cost Australian organisations an average of $128 a compromised record in 2010, due to the costs of forensics, customer churn, auditing, legal services and reputational damage (pdf).

British and US organisations respectively paid an average of £71 and $US214 to rectify breaches that year.

Microsoft Australia’s government affairs manager Sassoon Grigorian argued for a “fair, reasonable” data breach notification system that recognised different levels of severity and harm.

“One should not ignore that reputation costs and legal exposure can accrue even where an organisation has taken all reasonable steps to guard against information security breaches,” he wrote in a blog post this month.

“Consider, for example, the situation where an information security breach involving the disclosure of sensitive financial information occurs due to an employee’s failure to follow an organisation’s procedures for handling personal information. 

“The organisation may nonetheless be liable.  By notifying affected individuals of an information security breach of this kind, it is inevitable that at least some of those individuals will pursue their legal remedies for the unauthorised disclosure of their personal information.”

Mandatory notification

In 2008, the Australian Law Reform Commission (ALRC) called for the introduction of mandatory data breach notification laws and additional Privacy Commissioner powers.

Under the Australian Law Reform Commission proposal, agencies and organisations would be required to notify customers if a security breach led to the disclosure of their personal information.

Parliament has yet to address those recommendations, although a spokesman for Privacy Minister Brendan O’Connor said it could bring forward its consideration of the proposal “if there is evidence that the problem is growing”.

“Companies are … expected to promptly notify their customers and the Privacy Commissioner where a privacy breach has occurred,” she said.

“The Government is working through the ALRC’s extensive recommendations methodically and in consultation with stakeholders.

“If there is evidence that the problem is growing, and companies are not looking after their customers’ information appropriately, the Government will consider bringing forward consideration of the ALRC recommendation.”

Read on to page two for benefits and risks of mandatory notification laws.

In the absence of notification laws, Australian organisations had no legal obligation to notify the Office of the Privacy Commissioner of a data breach, but could voluntarily do so.

Former Privacy Commissioner Malcolm Crompton speculated that business was suffering from uncertainty around whether mandatory notification laws would be introduced.

“It will be good for individuals and good for business through the eventual creation of confidence in business and government when they can prove that they can manage personal information safely,” he said.

Similar laws in some US states imposed penalties on failures to notify individuals. For example, Indiana classified failure to notify as “a deceptive act” that could incur a fine of up to $US150,000.

The University of Canberra’s Arnold noted that organisations may object to mandatory reporting over fears that consumers and shareholders may not differentiate between negligence, inescapable, trivial and non-trivial breaches.

Verizon this year found a “virtual explosion” of data breaches in organisations with between 11 and 100 staff.

But its Asia-Pacific managing principal of Investigative Response Mark Goudie would not argue for or against data breach notification laws, noting that US laws had led to “consumer outrage” but had an unknown effect on information security.

Arnold also highlighted fears that mandatory reporting could lead to “data breach fatigue”, following which consumers would “give up and stop taking sensible precautions on their own”.

But he argued that notification laws would give lawmakers more information so they could “benchmark good practice and build good law”.

“In Australia we don’t have much solid information about the frequency, targets and scale of data breaches,” he said. “There’s lots of speculation, much disagreement, much complacency.

“If we don’t know that the data is being breached we cannot shame [negligent organisations]. They don’t get smacked by the regulators, they aren’t deserted by consumers who realise that they can’t be trusted, they aren’t penalised by insurers.”