Security and technology heads at top Australian organisations say the impact of a mandatory data breach reporting scheme on businesses will largely depend on what the Federal Government determines are 'reasonable' security controls.
Plans for a data breach notification scheme were shared with a small number of stakeholders as the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013, obtained by SC.
The scheme was recommended by the Australian Law Reform Commission in 2008 and would force organisations to notify the Federal Privacy Commissioner, affected consumers and on occasion the media when data breaches occur.
Under the scheme the Federal Privacy Commissioner would consider whether an affected organisation has taken 'reasonable steps' to protect its customer data in deciding whether to pursue fines or enforce a public notification of a breach.
Security and technology heads speaking at a SC and ITnews roundtable on the impact data breach notification said details of 'reasonable steps' were critical to understand the impact the scheme could have on Australian businesses.
The scheme for organisations with strong security serve only as an extension of existing controls.
“We are a customer-facing organisation and already have processes in place to communicate with customers,” Vodafone Australia head of information security Eyman Ahmed Ahmed said at the roundtable in Sydney.
“I think it is worth asking, 'what is the scope of ‘reasonable’? … Is the scope that my SIEM (Security Information and Event Management) deployment is built against ‘reasonable’ or do I have to extend it to every critical system?"
Security managers were concerned that a data breach notification scheme could also affect outsourcing contracts.
Under the exposure draft, organisations could be liable for data breaches at their outsource providers if the Privacy Commissioner found they did not ensure reasonable security controls were in place prior to contracts being signed.
Organisations may be able to minimise the risk of falling foul of any schemes by ensuring proper documentation occurs, Sydney University information security manager Daniel Grzelak suggested.
“Documenting that you’ve taken reasonable steps, rather than investing in prescriptive technologies” could be the way to achieving compliance with data breach notification laws.
“The definition of ‘reasonable’ is up in the air, so perhaps the only way to say you’ve taken reasonable steps is in your documentation.”