Australian privacy commissioner calls for mandatory data breach notification

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://computerworld.co.nz/news.nsf/security/mandatory-data-breach-notification-urged-after-privacy-law-passage

The Australian privacy commissioner and a consumer group supported
mandatory data breach notifications, in comments submitted today to
the Attorney General.

Last week, the Australian Parliament passed a bill containing several
amendments to privacy law. Among other things, the law gives Privacy
Commissioner Timothy Pilgrim more powers, including the right to seek
civil penalties for serious privacy breaches.

However, the privacy legislation did not include a more controversial
provision requiring companies to notify customers in the case of a
data breach. The proposal involves some tough issues, including what
constitutes a breach and how soon after a breach a company should
alert customers.

In today's submission, the Office of the Australian Information
Commissioner (OAIC) said it "supports the introduction of mandatory
data breach notification legislation, as current voluntary data breach
notification arrangements are insufficient."
The Australian Communications Consumer Action Network (ACCAN) agreed
on behalf of consumers in its own comments.
"A mandatory data breach notification requirement would provide
greater information to consumers about the security of their personal
information, and provide an incentive for organisations to improve
their security practices," ACCAN said.

The OAIC said notification should be triggered if the breach "gives
rise to a 'real risk of serious harm' to an individual."

"There should be a catch-all test that is able to apply to a range of
circumstances, rather than a prescriptive test, and the specific
elements that should be included in the notification trigger include
the type of personal information involved in the breach, the context
of the affected information and the breach, the cause and extent of
the breach and the risk of harm to the affected individuals."

However, ACCAN seeks a broader trigger than "serious harm," it said.
"It is not clear, for instance, whether the disclosure of credit card
information carries 'a real risk of serious harm.'"

However, ACCAN said it recognises "the concerns of 'notification
fatigue' if notifications are made for too wide a range of events, and
agree[s] that an excessively broad definition might contribute to this
fatigue."

The OAIC said notifications "should be made as soon as is reasonably
practicable."

ACCAN agreed: "Organisations should be responsible for notifying as
soon as is practicable or reasonable after a breach is known (or
reasonably suspected) to have occurred."

"A set time limit would serve only to signal to organisations that
notification could be delayed until that limit had been reached," it
said. "We note that delayed notification may be needed in particular
cases, e.g. where notification would negatively impact on law
enforcement activities."
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.