Mandatory data breach notification urged after privacy law passage
- 03 December, 2012 16:46
The Australian privacy commissioner and a consumer group supported mandatory data breach notifications, in comments submitted today to the Attorney General.
Last week, Parliament passed a bill containing several amendments to privacy law. Among other things, the law gives Privacy Commissioner Timothy Pilgrim more powers, including the right to seek civil penalties for serious privacy breaches.
However, the privacy legislation did not include a more controversial provision requiring companies to notify customers in the case of a data breach. The proposal involves some tough issues, including what constitutes a breach and how soon after a breach a company should alert customers.
In today’s submission, the Office of the Australian Information Commissioner (OAIC) said it “supports the introduction of mandatory data breach notification legislation, as current voluntary data breach notification arrangements are insufficient.”
The Australian Communications Consumer Action Network (ACCAN) agreed on behalf of consumers in its own comments.
“A mandatory data breach notification requirement would provide greater information to consumers about the security of their personal information, and provide an incentive for organisations to improve their security practices,” ACCAN said.
The OAIC said notification should be triggered if the breach “gives rise to a ‘real risk of serious harm’ to an individual.”
“There should be a catch-all test that is able to apply to a range of circumstances, rather than a prescriptive test, and the specific elements that should be included in the notification trigger include the type of personal information involved in the breach, the context of the affected information and the breach, the cause and extent of the breach and the risk of harm to the affected individuals.”
However, ACCAN seeks a broader trigger than “serious harm,” it said. “It is not clear, for instance, whether the disclosure of credit card information carries ‘a real risk of serious harm.’”
However, ACCAN said it recognises “the concerns of ‘notification fatigue’ if notifications are made for too wide a range of events, and agree[s] that an excessively broad definition might contribute to this fatigue.”
The OAIC said notifications “should be made as soon as is reasonably practicable.”
ACCAN agreed: “Organisations should be responsible for notifying as soon as is practicable or reasonable after a breach is known (or reasonably suspected) to have occurred.”
“A set time limit would serve only to signal to organisations that notification could be delayed until that limit had been reached,” it said. “We note that delayed notification may be needed in particular cases, e.g. where notification would negatively impact on law enforcement activities.”
Follow Adam Bender on Twitter: @WatchAdam
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
HP Helps NEC Reduce Network Management Costs and Gain Efficiencies
NEC wanted to reduce network management costs, while increasing network visibility, decreasing mean-time-to-repair, improving stability and mitigating the risk of downtime. Download today to hear from Cameron Craig, Senior department manager of NEC on what approach they took and why.
Choice and Control – Considerations for Developing Enterprise Cloud Strategies
Enterprise-wide cloud implementation can be a challenging process, requiring a thoughtful, strategic approach. In this whitepaper, IBM® shares considerations for developing enterprise cloud strategies. It looks into how the rapid-scale enterprise-class environment can help enable the type of agile infrastructure that aids organisations in quickly meeting the demands of an ever-evolving marketplace, thereby providing true business value. Read now.
Endpoint Protection Overview
With the exponential growth and sophistication of malware today, the security industry can no longer afford to ‘bury its head in the sand’. The bottom line is that traditional endpoint security protection is now ineffective due to the sheer volume, quality, and complexity of malware. This paper looks at this problem and how Webroot, by going back to the drawing board on countering malware threats, is revolutionising endpoint protection and solving the issues that hinder existing endpoint security solutions. Download now.