What's a fair punishment for data breaches?

In the absence of notification laws, Australian organisations had no legal obligation to notify the Office of the Privacy Commissioner of a data breach, but could voluntarily do so.

Former Privacy Commissioner Malcolm Crompton speculated that business was suffering from uncertainty around whether mandatory notification laws would be introduced.

“It will be good for individuals and good for business through the eventual creation of confidence in business and government when they can prove that they can manage personal information safely,” he said.

Similar laws in some US states imposed penalties on failures to notify individuals. For example, Indiana classified failure to notify as “a deceptive act” that could incur a fine of up to $US150,000.

The University of Canberra’s Arnold noted that organisations may object to mandatory reporting over fears that consumers and shareholders may not differentiate between negligence, inescapable, trivial and non-trivial breaches.

Verizon this year found a “virtual explosion” of data breaches in organisations with between 11 and 100 staff.

But its Asia-Pacific managing principal of Investigative Response Mark Goudie would not argue for or against data breach notification laws, noting that US laws had led to “consumer outrage” but had an unknown effect on information security.

Arnold also highlighted fears that mandatory reporting could lead to “data breach fatigue”, following which consumers would “give up and stop taking sensible precautions on their own”.

But he argued that notification laws would give lawmakers more information so they could “benchmark good practice and build good law”.

“In Australia we don’t have much solid information about the frequency, targets and scale of data breaches,” he said. “There’s lots of speculation, much disagreement, much complacency.

“If we don’t know that the data is being breached we cannot shame [negligent organisations]. They don’t get smacked by the regulators, they aren’t deserted by consumers who realise that they can’t be trusted, they aren’t penalised by insurers.”