Australia divided over data breach laws

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.zdnet.com.au/australia-divided-over-data-breach-laws-339332126.htm

Australian organisations remain divided over the issue of data breach
notification laws, leaving the Department of the Prime Minister and
Cabinet with mixed signals over what to do in regards to planning a
strategy for Australia's digital future.

The need for data breach notification laws has been long debated, with
the recommendation for such legislation proposed by the Australian Law
Reform Commission in 2008. Such legislation would place a legal
requirement on organisations to inform its users in the event of a
data breach.

As part of the cyber discussion paper (PDF), the Australian Government
raised the question of how the reporting of data breaches should be
handled and encouraged.

Optus felt that the existing method of promotion and general awareness
of the Office of the Australian Information Commissioner's (OAIC)
voluntary data breach notification guidelines would be sufficient,
although it did state that the OAIC could set out clear information as
to when those guidelines come into place. Telstra appeared to
partially agree, stating that breaches should continue to be
voluntarily reported, but legislation to support such reporting should
be examined.

The OAIC, which also covers the Australian Privacy Commissioner,
disagreed with the telcos' partial approach and stated in its
submission that it continued to stand by its recommendation for
mandatory data breach notifications. It also stated that it was
reviewing its voluntary guidelines for handling breaches.

The Internet Industry Association (IIA), which represents both Optus
and Telstra, also took a similar view as the telcos, but reasoned that
establishing laws to force breach notification could be at the
detriment to local industries.

"Take for example an e-commerce site hosted in the United Kingdom with
Australian customers," its submission read. "The creation of mandatory
breach laws here may not be enforceable against such companies
rendering the regime either meaningless or disadvantageous to
Australian-based companies who are forced to comply. This in turn may
create an incentive to host offshore undermining the policy intent."

The IIA recommended a "collaborative industry-led approach using a
code-based framework (possibly co-regulatory)" to solve the issue of
breach notifications.

However, the Australian Privacy Foundation (APF) said in its
submission that hiding behind issues of jurisdiction only fostered a
culture of "avoiding 'difficult cases'" and the reality was that
Australian law in many cases already had the ability to reach beyond
local borders.

"For example, such an extraterritoriality is clearly anticipated in
s.7 of the Spam Act 2003 (Cth), it is found in s.5B of the Privacy Act
1988 (Cth) and can be implied from s.67 of the Australian Consumer Law
(Schedule 2 of the Competition and Consumer Act 2010 (Cth))," APF's
submission read.

"A sober-minded consideration of the real state of things show that
the problem is not so much found in the reach of Australian law.
Rather the problem stems from a lacking willingness, and in some cases
capacity, to enforce that law in relation to foreign-based parties.

"One does not have to dig particularly deep to be struck by the
inadequacy of how Australian conflict of laws rules treat consumers.
For example, while European e-consumers are afforded protection
through the right to sue, and be sued, in their country of domicile,
no similar protection is provided to Australian e-consumers."

The Australian Information Security Association's submission followed
a similar vein of thought, stating that Australia should introduce
laws for mandatory reporting and use the lessons learned from other
countries that have already done so as guidance.

There were also a number of submissions that appeared to be sitting on
the fence, while obviously aware of the issue.

Electronic Frontiers Australia did not take any sides, but instead
highlighted the importance for a discussion for laws protecting those
that discover data breaches.

"Customers who discover security problems should be protected. Whether
this means we need legislative protection for security whistleblowers
etc is a question that should be investigated, but it clearly
demonstrates that some major institutions have very poor understanding
of appropriate policy to maintain security."

Additionally, the Attorney-General's Department, while acknowledging
that the topic of data breach notifications was previously recommended
as an issue raised by the Quintet of Attorneys-General, did not
explicitly list it as a priority area that the Cyber White Paper
should consider.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/