iTnews

Dreyfus backs mandatory data breach laws

By Allie Coyne on Apr 29, 2013 1:47PM
Dreyfus backs mandatory data breach laws

More talks on the cards.

Attorney-General Mark Dreyfus has backed plans to introduce a mandatory data breach notification scheme in Australia.

The scheme was recommended by the Australian Law Reform Commission in 2008. It will require companies to inform the public whenever customers' personal information is compromised.

Former Attorney-General Nicola Roxon introduced a discussion paper on the topic last October, seeking feedback on what should trigger notification, who should be notified and which organisations should be subject to the regime.

Dreyfus said today the Government would engage in a 'small amount' of further talks with key stakeholders before deciding whether to implement such a system.

Speaking today at the launch of the 2012 Privacy Awareness Week, Dreyfus said any government agencies and organisations suffering a data breach should provide timely advice to affected parties.

He said the growing amount of breaches reported in the media continued to raise community concerns about the need for a mandatory scheme. 

“If there continues to be under reporting of data breaches, or we continue to find out about them only through media reports, some would argue there is a strong case to move to a mandatory scheme,” he said.

Dreyfus cited a 2012 report by Canberra University's Centre for Internet Safety which found a majority of Australians supported data breach notifications.

"I believe government agencies or companies that suffer a data breach should provide timely advice to those who have or could have had their privacy infringed, and that seems to be the view of many Australians."

He highlighted recent breaches at the likes of the ABC, Telstra, Medvet and Sony Playstation as cases for a mandatory scheme.

“While I am an optimist, I do not anticipate we have yet seen the end of these types of breaches. A mandatory notification requirements may also act as an incentive for holders of information to secure it," he said.

“The Government is carefully considering what has emerged from consultation and we’ll engage in a little bit more consultation before deciding which option we’re going to pursue.”

He did not give a timeframe for any potential legislative changes. The Attorney General's department has been contacted for further comment.

Privacy Commissioner Timothy Pilgrim also called for mandatory notification, warning that attacks like those leading to the recent arrest of Sydney-based alleged LulzSec hacker Matthew Flannery would continue, putting Australians' personal information at risk.

“In 2011/12, the OAIC [Office of the Australian Information Commissioner] received 1357 privacy complaints; that was an increase of 11 percent on the previous year," he said.

"Not surprisingly, data security was one of the top four reasons for most complaints against the private sector, and featured prominently in the majority of our own investigations."

In its response to Roxon's October 2012 discussion paper, the OAIC stated that Australia's existing voluntary data breach notification arrangements were insufficient.

The OAIC recommended:

  • that notification occur when a breach gives rise to a ‘real risk of serious harm’ to an individual;
  • that a ‘catch-all’ test should apply to a range of circumstances; and
  • that a notification should include the type of personal information involved in the breach, the context of the information and the breach, and the case and extent of the breach and the risk of harm.

It also suggested the notification should include an incident description and the organisation’s response to the breach.

Pilgrim said the OAIC should have the power to compel notification and impose civil penalties on those who fail to comply.

Privacy reforms

The new Privacy Act 2012 will come into effect in March 2014. Changes to the 24-year-old Act include 13 new privacy principles which cover both private and public sectors, called Australian Privacy Principles (APPs).

The APPs replace the existing Information Privacy Principles (IPPs) for the public sector and National Privacy Principles (NPPs) which apply to the private sector.

Additionally, the Privacy Commissioner will benefit from increased powers including the ability to accept enforceable undertakings; seek civil penalties; and conduct performance assessments of privacy performance for government agencies and businesses.

Credit reporting laws will also change under the new Act. New features include: more comprehensive reporting; a simplified complaints process; prohibition on reporting of credit information about children and defaults less than $150; specific rules dealing with pre-screening of credit offers and an individual’s ability to freeze access to credit-related personal information in cases of suspected identity theft/ fraud; and civil penalties for breaches of certain provisions.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
data breachdreyfus attorneyhackingmandatory data breach notificationpilgrim markprivacy commissionersecuritytimothy

Partner Content

Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
Why you can’t miss Australia’s premiere IoT Conference on 9th June
Promoted Content Why you can’t miss Australia’s premiere IoT Conference on 9th June
5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas
Top 5 Benefits of Managed IT Services
Promoted Content Top 5 Benefits of Managed IT Services

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • 11th Annual Fraud Prevention Summit 2022
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Allie Coyne
Apr 29 2013
1:47PM
0 Comments

Related Articles

  • Australian gov data breach numbers slip out of public view
  • Google, Meta push back against changes to privacy laws
  • Azure misconfiguration exposed ISOC members' info
  • UK privacy watchdog wants to fine Clearview AI $31m
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Kmart Australia stands up consent-as-a-service platform

Kmart Australia stands up consent-as-a-service platform

NSW digital driver's licences 'easily forgeable'

NSW digital driver's licences 'easily forgeable'

Kmart Australia re-platforms ecommerce site to AWS

Kmart Australia re-platforms ecommerce site to AWS

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

Digital Nation

The other ‘CTO’: The emerging role of the chief transformation officer
The other ‘CTO’: The emerging role of the chief transformation officer
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
COVER STORY: From cost control to customer fanatics, AI is transforming the contact centre
As NFTs gain traction, businesses start taking early bets
As NFTs gain traction, businesses start taking early bets
Case Study: PlayHQ leverages graph technologies for sports administration
Case Study: PlayHQ leverages graph technologies for sports administration
Metaverse hype will transition into new business models by mid decade: Gartner
Metaverse hype will transition into new business models by mid decade: Gartner
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.