Data breach laws to follow privacy reforms

Privacy Minister Brendan O'Connor has indicated that mandatory disclosure laws for data breaches in Australia could be enacted if the number and severity of breaches was shown to be on the rise.

The introduction of data breach notification laws has been on the cards since an Australian Law Reform Commission (ALRC) report in 2008.

Mandatory notification could require Australian businesses to publicly disclose instances of data loss where customer information had been compromised.

This could include instances where staff had lost laptops or USB sticks, or where data was stolen by hackers.

Notification has remained in a state of consultation for years; however, a spokesman for the Minister indicated they could soon be brought to bear.

“If there is evidence that the problem [of data breaches] is growing, and companies are not protecting their customers’ private information appropriately, the government will consider bringing forward consideration of the ALRC's [data breach notification] recommendation,” the department spokesman said.

In the absence of such proof, mandatory disclosure would slipstream behind a series of proposed privacy reforms (pdf) unveiled by O'Connor last week.

The reforms aimed - among other things - to give individuals power to sue if their privacy was seriously compromised.

"Proposals for mandatory data breach notification rules [would be] considered by the Government once foundational reforms to the Privacy Act have been progressed," O'Connor's spokesman said.

The spokesman said the Government was “well advanced” in its consideration of the privacy reforms that proceed the data breach notification proposal.

Public consultation on the privacy reforms ends 3 November.

Admitting fault

There were no requirements in Australia for organisations or individuals to report data loss and no mandatory punishments for those that did.

The Government may find it difficult to encourage businesses to come forward and admit to data loss.

Sources polled for this article unanimously said that businesses were encouraged by lawyers and insurance companies not to report data losses.

Those who work to rectify and mitigate security breaches said the scale of data theft dwarfed that known by the government and reported in the media.

Visa had identified that some 40,000 small to medium sized businesses were at high risk of becoming victim to data breach and losing credit card data.

Fraud in these businesses was thought to be lower–value but very common, with almost all instances unreported to government or the media.

Government investigations into data breaches rose 27 percent last year.

Copyright © SC Magazine, Australia