Australian businesses say they are not sold on the government's proposed mandatory data breach notification scheme, with some even going so far as to call for it to be abandoned.
Late last year the government released an exposure draft of its long-awaited bill for the scheme, outlining what it considers a serious breach and the steps an organisation must take in response to one.
It defines a serious breach as unauthorised access to, disclosure or loss of customer information which generates a real risk of serious harm to individuals.
After an entity is aware or "ought to have been aware" a serious breach has occured, it must notify customers, the Privacy Commissioner, and potentially the media "as soon as practicable".
In cases where an entity suspects a breach has occured, it will have 30 days to assess whether it needs to make notification.
However, Australia's biggest industry groups are calling for changes to be made to avoid "notification fatigue" and to make their obligations clearer.
The Australian Industry Group - which represents 60,000 business across a range of sectors - said it couldn't understand why such a scheme was required at all.
"Ai Group understands the reasons why the bill has been drafted but we are not convinced of the need for the bill," it said.
It argued [pdf] there were already privacy protections in place to deal with data breaches, and businesses would face an "unreasonable compliance burden" and difficult implementation of the scheme should it go ahead.
The Australian Retail Credit Association (ARCA) similarly argued the bill needed to be heavily edited if it was to progress any further.
It outlined [pdf] a laundry list of issues, covering the 30-day assessment period, the ability for the Privacy Commissioner to direct an entity to make notification of a breach, and the inclusion of "psychological and emotional" in the definition of what constitutes "harm", among others.
Should have known
Ai Group stood on its own in outright questioning the need for the bill, but echoed the calls of many others in calling for the removal of the concept that an entity would still be subject to disclosure obligations if it 'ought to reasonably be aware' that a serious breach had occured.
The argument was similarly made by Telstra, PriceWaterhouseCoopers, the ABC, the Law Council of Australia, the Insurance Council of Australia [pdf], and the Australian Retail Credit Association.
Telstra said while it assumed the language had been included to address situations where an entity was "wilfully blind" to a serious data breach, it could result in organisations being unfairly targeted for not notifying early enough.
"Security incidents and complaints are generally raised within a large organisation such as ours through a number of channels," Telstra said [pdf].
"It may not be apparent that there is a serious data breach requiring notification until issues are ventilated either by multiple persons or via multiple channels."
PwC said [pdf] its research had found that it takes an average of 243 days between when an entity is hacked and when it discovered the breach, and called on the OAIC to make clearer the circumstances under which it would consider an organisation should have been aware of a breach.
"... an entity may not become aware of a serious data breach until after the hacked information has been unlawfully used or disclosed... This may be a significant time after the serious data breach occurred," the ABC [pdf] agreed, calling for the removal of the 'ought to have been aware' phrase.
The Law Council argued [pdf] the language was too broad and uncertain and pushed for its removal from the bill, as did ARCA, which questioned how an entity can be required to notify of a breach if it is not aware one has occured.
What is harm?
Issues were also raised with how an organisation would be expected to assess the harm to an individual in a data breach.
According to PayPal, the legislation's current scope of "harm" - which includes physical, psychological, economic and reputational - is "overly broad" and requires entities to assess characteristics of individuals without the requisite expertise to do so.
"While PayPal understands the intention of the government is to require organisations to give consideration to the widest possible harm that may result from a data breach, PayPal is concerned that such a breadth of harm imposes an unmanageable risk upon entities such that most if not all data breaches will require notification," it said [pdf]
The Communications Alliance [pdf] "strongly objects" to this "incredibly large scope of harm" and called for the removal of the terms 'emotional' and 'psychological'. The ABC similarly argued the definition of "harm" should be limited to physical and financial harm.
According to PwC, entities will struggle to assess the "seriousness" of harm given individuals have varying thresholds for what they consider harmful - an argument backed by ARCA.
They will also find it difficult to capture and measure what constitues "psychological, emotional or reputational harm", the firm said.
It suggested introducing a "reasonable person" test to remove the subjectivity from the obligations.
The Insurance Council agreed it would be "preferable" to establish an objective standard of assessment, but nonetheless argued for the removal of the "subjective" terminology.
The role of service providers
Under the draft bill, the entity obliged to notify authorities of a breach is that which holds the data that has been breached.
However, the likes of Telstra, Microsoft, PwC, the AIIA and ARCA raised concerns about the scenario of a breach where more than one entity could be considered to "hold" the relevant information.
"In a practical sense if a data breach is caused by a contractor in the possession of an entity’s data but that data is in the control of the entity there may be conflicting requirements to notify," Telstra said, arguing this could result in multiple notifications from separate sources and therefore confusion for customers.
"It is likely that affected individuals ... would not be aware that the notifications that they receive relate to the same data breach," Comms Alliance said.
Microsoft - which lent its support to the bill - said [pdf] a cloud service provider like itself would be unlikely to have the ability to communicate with individuals.
"Many cloud contracts (including Microsoft’s) specifically limit the ability of the cloud service provider to access customer data; and therefore also limit the ability of the provider to make an accurate determination of whether or not serious harm has occurred," it said.
The Department of Social Services [pdf] echoed similar concerns within government, in instances where core systems and databases are managed by other government agencies.
Microsoft, Telstra, the Comms Alliance, PwC and the AIIA said the responsibility for notification should be on the entity that owns the customer relationship.
Does the OAIC even need to be involved?
While many of those submitting their views on the proposed bill called on the government to increase its funding to the severely under-resourced OAIC to ensure proper administration of the scheme, the federal Finance department questioned whether the office even needed to be immediately notified of a breach.
The department said [pdf] while it agreed there was a "strong rationale" to notify individuals in cases of a breach, it didn't see the need for the requirement to notify the OAIC straight away in all cases of a serious data breach.
It gave the example of a payslip for an individual being sent to the wrong person, which would likely be considered a serious breach under the bill, but argued that notifying the OAIC in this instance would lead to "notification fatigue".
"It is not clear what purpose the notification to the OAIC is in these cases. Very little information has been provided on why the OAIC wants this information and what the OAIC will do with the information once it is received," Finance said.
It suggested a two-tier system where notification to the OAIC is only required in cases where a breach affects more than 500 individuals, as seen in California in the US.