New breach laws invoke mixed reactions

The Australian Law Reform Commission’s (ALRC) mandatory data breach disclosure recommendations
need fine-tuning, according to experts.

The recommendation, which was just one out of 295 proposed changes to Australia’s 20-year-old Privacy Act found that the Act should be modernised to include a requirement for organisations to notify the Privacy Commissioner and affected individuals when a data breach of significance has occurred.

However, the government’s avowal that is has grouped the reforms in the second stage of its review process - which won’t begin for at least a minimum of 18 months-has invoked concerns amongst security experts.

“I give it a thumbs up, I just feel that we’ve got to stop putting such long time frames on it,” said Oscar Marquez, Marshal’s head technical consultant APAC.

“I think it could actually drip in to four years [even though] the government says 18-months. By the time the bill actually gets through it will be about three years.

“Then, by that time, we have a change of government or we’ve gone through an election and everything get’s stalled for another year and a half," said Marquez.

Despite his disapproval of the the lengthy time approach, Marquez admitted two or three years is in some ways a blessing for business which will require that amount of time to prepare.

"What you don’t want to be doing is waiting three years, especially once the issue starts becoming public knowledge; the last thing a business wants is not to be compliant on the day of the release.

He predicts business will begin altering their policy within three years. "We’re going to first see the enforcement of policy internally, and start training staff to be policy aware.

The US, in particular the State of California initiated a data breach disclosure phenomenon way back in 2003. It is yet to enact a Federal law of such but the California Security Breach Notification Law has prompted at least 40 other states and several countries to follow suit.

According to Marquez, those countries such as Mexico have more of a government drive behind it, something that he fears lacks here.

"The government really pushes down their Act,” said Marquez. “In Australia, I really believe that the recommendations will be socialised by the time it gets to a bill format.

“At the end of the day is the government really going to sit down with business leaders? I don’t think so,” said Marquez.

Agreeing, Gerry Tucker, head of APAC at email security vendor Proofpoint said citizens are much more trusting of government organisations than they are of commercial organisations.

Therefore, he said, “There is an opportunity for government to take a lead and there’s a great expectation that government will take the lead,” said Tucker.

At the announcement of the ALRC’s recommendations this week, Cabinet Secretary John Faulkner, confirmed the government’s position and ensured the importance of securing personal information is part of the government’s program.

He said due to the complexity of the recommendations, the government will tackle the report in two stages to ensure that when a legislation is passed it is done right.

Furthermore, the Privacy Commissioner, Karen Curtis, who has been lobbying for the introduction of a data breach notification law for some time welcomed the recommendations as well as its suggested time frame.

According to the Office of the Privacy Commissioner, Curtis believes a staged response by Government to the 295 recommendations in the report is a sensible approach.

On the other hand, David Backlaws, security solutions architect at security company Unixpac, who has extensive security consultancy experience in major firms around the world, believes the courts need to push it just as much as the government.

He said, part of the problem in Australia is that there appears to be no or limited fear of liability.

“In the US and UK there’s a strong sense of liability,” said Backlaws. “In the case of breaches here, companies don’t seem to fear it.

“Big corporations here including ISPs are sending out malicious traffic and because there is no liability they don’t seem to care.

“It really shouldn’t be so relaxed,” he said.

Essentially, the Privacy Act needs to be broken up into different sectors for different uses – but I don’t think they will go that far, said Marquez.

alrcbreachdatagovernmentlawsecurity