The Australian Attorney General's Department has circulated a draft exposure bill for data breach notification laws, which the Government optimistically hopes to pass through Parliament within months.
The confidential release of the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013, leaked to Secure Computing, suggests the Australian Government is serious about attempting to pass a long-awaited privacy reform before the end of its term.
The scheme was recommended by the Australian Law Reform Commission in 2008 and would force organisations to notify the Australian Privacy Commissioner, affected consumers and occasionally the media when data breaches occur.
A discussion paper was issued in October seeking public feedback on design of the scheme.
Sources close to the formulation of the scheme say the laws could come into force as early as July this year, with a grace period for organisations to comply.
What constitutes a breach?
Under the draft legislation, the Federal Government would consider a data breach to be serious if an organisation is delinquent in its requirements under the new Australian Privacy Principles to take reasonable steps to secure customer personal information.
The breached data, lost or stolen, would need to expose customers to a "real risk of serious harm" and potentially subject to unauthorised access or disclosure.
There would need to be a less than remote chance that breached data could be used to damage a customer's reputation and hip pocket.
Repeat and serious offenders face financial penalties of up to $340,000 for individuals or $1.7 million for organisations - a maximum penalty which was last month increased from $220,000 and $1.1 million respectively.
Small-scale offenders could be taken to court and fined up to $34,000 for individuals, and $170,000 for organisations.
The draft bill was not prescriptive in the technology organisations should use, nor what may constituted "reasonable" efforts to secure customer data.
Organisations could also face fines if their outsourcer is breached under the draft bill. If personal information is sent overseas, the sender is required under APP 8.1 (pdf) to reasonably ensure the receiving company does not breach privacy law.
In the eyes of the Privacy Office, the organisation that sent customer data to an offshore provider remains the guardian of the data. If the Privacy Commissioner finds due diligence did not occur prior to this transaction - and a breach occurs at the third party - the guardian of that data faces a serious data breach.
Data loss stemming from a lack of due diligence in protecting credit reporting and credit eligibility data was also considered a possible serious breach, as was the sending of this data offshore.
Organisations could also face serious breaches if Tax File Numbers were lost or stolen without first being reasonably protected.
Under the draft bill, serious breaches require impacted organisations to send a prompt statement to the Privacy Commissioner, outlining among other elements the details of the serious breach, the compromised information and remedial steps that victims should take.
Exposed customers must also be individually notified using whichever communication channels the organisation normally employs.
The Commissioner could also force the affected organisation to post a public statement on its website and inform media outlets across the states and territories, according to the draft bill.
Law enforcement were exempt under the draft bill to avoid risking prejudice against agency operations.
Such an exemption was flagged as necessary in March by Victoria's Commissioner for Law Enforcement Data Security, David Watts, who said data breach notification laws could threaten service providers with "astonishing reputational damage" but also shake public confidence in the police service and possibly reveal its security vulnerabilities.
The Privacy Commissioner could also provide exemption to organisations from having to publicly report data breaches if it was deemed in the public interest.
It is understood that these exemptions could exist to prevent interruption to data breach investigations.
Operators of the Personally Controlled Electronic Health Record must already report breaches and will not have to report again under the draft bill.
SC and iTnews met yesterday with CIOs and CSOs from top tier Australian enterprises to discuss data breach notification. Subscribe to Secure Computing (free of charge) and stay tuned for their insights.