Mandatory data breach notification urged after privacy law passage
- 03 December, 2012 16:46
The Australian privacy commissioner and a consumer group supported mandatory data breach notifications, in comments submitted today to the Attorney General.
Last week, Parliament passed a bill containing several amendments to privacy law. Among other things, the law gives Privacy Commissioner Timothy Pilgrim more powers, including the right to seek civil penalties for serious privacy breaches.
However, the privacy legislation did not include a more controversial provision requiring companies to notify customers in the case of a data breach. The proposal involves some tough issues, including what constitutes a breach and how soon after a breach a company should alert customers.
In today’s submission, the Office of the Australian Information Commissioner (OAIC) said it “supports the introduction of mandatory data breach notification legislation, as current voluntary data breach notification arrangements are insufficient.”
The Australian Communications Consumer Action Network (ACCAN) agreed on behalf of consumers in its own comments.
“A mandatory data breach notification requirement would provide greater information to consumers about the security of their personal information, and provide an incentive for organisations to improve their security practices,” ACCAN said.
The OAIC said notification should be triggered if the breach “gives rise to a ‘real risk of serious harm’ to an individual.”
“There should be a catch-all test that is able to apply to a range of circumstances, rather than a prescriptive test, and the specific elements that should be included in the notification trigger include the type of personal information involved in the breach, the context of the affected information and the breach, the cause and extent of the breach and the risk of harm to the affected individuals.”
However, ACCAN seeks a broader trigger than “serious harm,” it said. “It is not clear, for instance, whether the disclosure of credit card information carries ‘a real risk of serious harm.’”
However, ACCAN said it recognises “the concerns of ‘notification fatigue’ if notifications are made for too wide a range of events, and agree[s] that an excessively broad definition might contribute to this fatigue.”
The OAIC said notifications “should be made as soon as is reasonably practicable.”
ACCAN agreed: “Organisations should be responsible for notifying as soon as is practicable or reasonable after a breach is known (or reasonably suspected) to have occurred.”
“A set time limit would serve only to signal to organisations that notification could be delayed until that limit had been reached,” it said. “We note that delayed notification may be needed in particular cases, e.g. where notification would negatively impact on law enforcement activities.”
Follow Adam Bender on Twitter: @WatchAdam
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Updated: Bill Morrow new head of NBN Co
Cloud debate now about speed and sophistication
Cloud debate now about speed and sophistication
Yahoo Mail still down for some users, after an attempted fix
Queensland government to provide 200 services online by 2015
The Evolution and Value of Purpose-Built Backup Appliances
Customers today are still grappling with subpar backup performance as systems outstrip the allotted backup window time. Strategies for data protection and recovery continue to be dictated by aggressive SLAs, rapid recovery, and ease of integration in existing environments. As a result, firms have started to embrace more disk-based data protection technologies, including purpose-built backup appliances (PBBAs) to protect and recover data and applications. This white paper explores the measurable benefits of PBBA systems for customers, with a focus on the increased use and adoption patterns of both integrated and targeted systems.
Protect 500 VMs in 17 Minutes
Modern trends in IT are changing how data centres are being designed and managed. Data centres continue to evolve from an environment based on physical servers and storage to one based on virtualization platforms. Data management solutions need to evolve and adapt to these shifts. This white paper discusses how new software can provide unprecedented scale and server consolidation capabilities in evolving a cloud based data centres, providing the automation, flexibility and scale needed to meet increasingly challenging business needs.
The great technology take-up: How unified communications is changing the way we work
With the challenges of sovereign debt, economic malaise, youth unemployment, resource scarcity, we may need to rethink and rebuild many of the organisations and industries that have served us well for decades, but have reached the end of their life cycles. In this report we discuss the new approaches in mass collaboration and how new innovations will change the face of today's workplace.