Delayed Australian data breach notification bill lands

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theage.com.au/it-pro/security-it/delayed-australian-data-breach-notification-bill-lands-20151203-glfbnt.html

Australians will be informed of certain breaches of their personal
information under new laws being proposed by the Turnbull government, but
only if the company or organisation breached turns over $3 million in
revenue a year.

The Attorney-General's Department released on Thursday an exposure draft of
the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015,
which will require entities to disclose serious breaches of peoples'
information.

The government was meant to introduce the bill into parliament before the
end of the year but left it until the last sitting day of the year to
release an exposure draft before its likely introduction into parliament
next year.

If passed, the bill will require companies to disclose a breach within 30
days if it concerns personal information and "there is a real risk of
serious harm to any of the individuals" to whom the information relates.

At present, companies, federal government agencies and various other
Australian organisations are not required to disclose breaches by law.
Nothing stops them, however, from voluntarily disclosing a breach.

Vice chair of the the Australian Privacy Foundation, David Vaile, said that
the $3 million threshold of compliance — something that has existed in the
Privacy Act for some time — was "a potential problem".

"A backyard data-munging operation can now cause as much damage, and
release as much data (but may be less scrupulous or well defended) than any
big bank, telco or government agency," he said.

Chief executive officer of the Consumer Action Law Centre, Gerard Brody,
agreed, saying that individuals should have a fundamental right to be
informed of "any data breach involving personal information about them".

"This is not just because of potential adverse consequences caused by the
release of personal information, but also a fundamental human right to
autonomy," Mr Brody said.

Ty Miller, of computer security firm Threat Intelligence, said that whether
or not a breach is disclosed should not be based on how much money an
organisation earns but the sensitivity and the amount of data breached.

"[Under this bill] you could have a project that is collecting millions of
peoples' details and not have to notify anyone affected by the breach
because you are not earning any money from it."

Despite this, he said Australia needed some form of data breach
notification scheme because there was a large number of security breaches
occurring that were not being disclosed.

"Ninety nine per cent of organisations that we do audits on have had
customer data stolen," he said, adding that very few companies reported
breaches to the privacy commissioner or to affected individuals.

Tom Godfrey, a spokesman for consumer group CHOICE, also said he hoped that
regardless of the legislation all companies would proactively provide data
breach information to their customers

"Any company, regardless of size, should be interested in protecting their
customers and notifying them when there's a real risk that their personal
data could have fallen into the wrong hands," Mr Godfrey said.

Asia Pacific technology practice leader at law firm Norton Rose Fulbright,
Nick Abrahams, said that while the bill was necessary and brought Australia
line with the rest of the developed world, it still needed some work.

If a security vulnerability was found in a system and someone approached a
company to report that they were able to access personal information but
did not do anything illegal with it, he questioned whether it needed to be
disclosed.

"Is that a disclosable incident?" Mr Abrahams asked. "That appears to be
something where there's a need for clarity."

Privacy Commissioner Timothy Pilgrim said a mandatory notification scheme
would provide confidence to all Australians that, in the event of a serious
data breach, they would be given the opportunity to manage their personal
information. "Notification enables people affected by a breach to take
steps to protect their personal information; such as cancelling credit
cards or updating log ins with service providers."

Submissions from the public concerning the draft bill are due by March 4.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!