Mandatory data breach notification urged after privacy law passage
- 03 December, 2012 16:46
The Australian privacy commissioner and a consumer group supported mandatory data breach notifications, in comments submitted today to the Attorney General.
Last week, Parliament passed a bill containing several amendments to privacy law. Among other things, the law gives Privacy Commissioner Timothy Pilgrim more powers, including the right to seek civil penalties for serious privacy breaches.
However, the privacy legislation did not include a more controversial provision requiring companies to notify customers in the case of a data breach. The proposal involves some tough issues, including what constitutes a breach and how soon after a breach a company should alert customers.
In today’s submission, the Office of the Australian Information Commissioner (OAIC) said it “supports the introduction of mandatory data breach notification legislation, as current voluntary data breach notification arrangements are insufficient.”
The Australian Communications Consumer Action Network (ACCAN) agreed on behalf of consumers in its own comments.
“A mandatory data breach notification requirement would provide greater information to consumers about the security of their personal information, and provide an incentive for organisations to improve their security practices,” ACCAN said.
The OAIC said notification should be triggered if the breach “gives rise to a ‘real risk of serious harm’ to an individual.”
“There should be a catch-all test that is able to apply to a range of circumstances, rather than a prescriptive test, and the specific elements that should be included in the notification trigger include the type of personal information involved in the breach, the context of the affected information and the breach, the cause and extent of the breach and the risk of harm to the affected individuals.”
However, ACCAN seeks a broader trigger than “serious harm,” it said. “It is not clear, for instance, whether the disclosure of credit card information carries ‘a real risk of serious harm.’”
However, ACCAN said it recognises “the concerns of ‘notification fatigue’ if notifications are made for too wide a range of events, and agree[s] that an excessively broad definition might contribute to this fatigue.”
The OAIC said notifications “should be made as soon as is reasonably practicable.”
ACCAN agreed: “Organisations should be responsible for notifying as soon as is practicable or reasonable after a breach is known (or reasonably suspected) to have occurred.”
“A set time limit would serve only to signal to organisations that notification could be delayed until that limit had been reached,” it said. “We note that delayed notification may be needed in particular cases, e.g. where notification would negatively impact on law enforcement activities.”
Follow Adam Bender on Twitter: @WatchAdam
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
How to Switch From iPhone 5S to BlackBerry Z30 (and Why)
CIOs to Become In-House Brokers -- and That's a Good Thing
The future of computing
10 Hot Hadoop Startups to Watch
The future of computing
Case Study: ETEL Limited
Read how ETEL Limited, a pioneering design and manufacture business in New Zealand, managed to perfect their expansion into new markets by utilising an ERP system to support growth and provide “one source for truth” accessible to the entire organisation.
Why you should be re-thinking your approach to data protection
Organisations of all shapes and sizes need a new approach to data protection that addresses the challenges of data growth, but IT budgets are not keeping pace with the escalating costs of supporting storage requirements. This whitepaper explores how securing and retrieving organisational data will need to be done more efficiently.
VDI Solutions Guide
The IT industry has been abuzz promoting the idea of virtual desktop infrastructure. But despite its advantages, adoption has been slow, and many organizations have abandoned their VDI initiatives. This paper explores how a new flash-based approach can overcome the key VDI pitfalls, and deliver a solution that both end-users and IT administrators will love.