BreachExchange mailing list archives
Australian privacy commissioner calls for mandatory data breach notification
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Wed, 5 Dec 2012 13:22:51 -0500
http://computerworld.co.nz/news.nsf/security/mandatory-data-breach-notification-urged-after-privacy-law-passage The Australian privacy commissioner and a consumer group supported mandatory data breach notifications, in comments submitted today to the Attorney General. Last week, the Australian Parliament passed a bill containing several amendments to privacy law. Among other things, the law gives Privacy Commissioner Timothy Pilgrim more powers, including the right to seek civil penalties for serious privacy breaches. However, the privacy legislation did not include a more controversial provision requiring companies to notify customers in the case of a data breach. The proposal involves some tough issues, including what constitutes a breach and how soon after a breach a company should alert customers. In today's submission, the Office of the Australian Information Commissioner (OAIC) said it "supports the introduction of mandatory data breach notification legislation, as current voluntary data breach notification arrangements are insufficient." The Australian Communications Consumer Action Network (ACCAN) agreed on behalf of consumers in its own comments. "A mandatory data breach notification requirement would provide greater information to consumers about the security of their personal information, and provide an incentive for organisations to improve their security practices," ACCAN said. The OAIC said notification should be triggered if the breach "gives rise to a 'real risk of serious harm' to an individual." "There should be a catch-all test that is able to apply to a range of circumstances, rather than a prescriptive test, and the specific elements that should be included in the notification trigger include the type of personal information involved in the breach, the context of the affected information and the breach, the cause and extent of the breach and the risk of harm to the affected individuals." However, ACCAN seeks a broader trigger than "serious harm," it said. "It is not clear, for instance, whether the disclosure of credit card information carries 'a real risk of serious harm.'" However, ACCAN said it recognises "the concerns of 'notification fatigue' if notifications are made for too wide a range of events, and agree[s] that an excessively broad definition might contribute to this fatigue." The OAIC said notifications "should be made as soon as is reasonably practicable." ACCAN agreed: "Organisations should be responsible for notifying as soon as is practicable or reasonable after a breach is known (or reasonably suspected) to have occurred." "A set time limit would serve only to signal to organisations that notification could be delayed until that limit had been reached," it said. "We note that delayed notification may be needed in particular cases, e.g. where notification would negatively impact on law enforcement activities." _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- Australian privacy commissioner calls for mandatory data breach notification Erica Absetz (Dec 05)