Australia's mandatory data breach disclosure laws will slipstream behind the Federal Government’s proposed reforms to give individuals power to sue if privacy is compromised.
A discussion paper for the proposed privacy reforms (pdf) announced last week by Home Affairs Minister Brendan O’Conner could introduce among others a statutory cause of action for individuals who have suffered serious invasions of their privacy.
A spokesperson for O'Conner said, without naming a date, that "proposals for mandatory data breach notification rules [would be] considered by the government once foundational reforms to the Privacy Act have been progressed."
The department said it was “well advanced” in its consideration of the privacy reforms that proceed the data breach notification proposal.
Public consultation on the privacy reforms ends 3 November.
Recommendations for data breach notification laws by the Australian Law Reform Commission (ALRC) made in 2008 have remained in a state of consultation for years.
But O’Conner’s department said it would bring forward consideration of the proposed laws if it was presented with evidence that information security within businesses was inadequate and loss of personal information was increasing.
“If there is evidence that the problem [of data breaches] is growing, and companies are not protecting their customers’ private information appropriately, the government will consider bringing forward consideration of the ALRC's [data breach notification] recommendation,” the department spokesperson said.
|Contact SC to signal your interest in fast-tracking data breach law
If adopted, Australian businesses could be required to publicly disclose instances of data loss where customer information had been compromised.
Based on US laws, this could include instances where staff had lost laptops, USB sticks or data theft through hacking.
There were no requirements in Australia for organisations or individuals to report data loss and no mandatory punishments for those that do.
And the government may find it difficult to encourage businesses to come forward and admit to data loss. Dozens of SC information security sources unanimously say that businesses were encouraged by lawyers and insurance companies not to report data loss.
Those who work to rectify and mitigate security breaches say the scale of data theft dwarfed that known by the government and reported in the media.
Visa had identified that some 40,000 small to medium sized businesses were at high risk of becoming victim to data breach and losing credit card data.
Fraud in these buisnesses was thought to be lower–value but very common, with almost all instances unreported to government or the media.
Government investigations into data breaches rose 27 percent last year.
O’Conner’s department said it would still consider data breach notification laws despite that privacy reform documents referred to a statement by New Zealand privacy advocate Professor John Burrows that it could be unnecessary if such a statutory cause of action was introduced.
The Australian Information Commissioner had previously issued voluntary guidelines for data breach notification.
Privacy commissioners may impose undertakings on businesses found to have breached data but these typically included only basic improvements to security arrangements.