Regulations which will force Australian organisations to disclose whenever customers’ data has been stolen may be one step closer following the disastrous hacking of Sony’s PlayStation Network over the past few weeks.
In a statement issued yesterday, Justice, Home Affairs and Minister for Privacy and Freedom of Information Minister Brendan O’Connor said such a system “appears necessary” in the face of privacy breaches “such as those we’ve unfortunately seen recently”.
The Australian security industry has been debating the need for such a system for some time. Under current law, many security breaches are kept quiet, despite potentially damaging consequences for those who have had their information stolen. The PlayStation case, which resulted in extensive downtime for the online gaming network following a virtual break-in and the theft of customer information, could affect up to 1.5 million Australians.
At the heart of the changing legislative path is the Federal Government’s pending response to the Australian Law Reform Commission’s review of Australian privacy law. Dubbed For Your Information – Australian Privacy Law and Practice, the report was released in August 2008 and contained a strong recommendation that Australia introduce data breach disclosure laws.
However, at the time, Special Minister of State, Senator John Faulkner told journalists it was likely to be at least 18 months before the Government would consider legislating for mandatory data breach laws. This week, O’Connor didn’t give a firm commitment as to when the Government would respond to the mandatory data breach recommendation in the ALRC report.
“The Government will consider its response to the remaining 98 recommendations of the ALRC review into privacy, including a proposal to require companies to inform customers of a data breach,” he said. However, the Minister noted he was “very concerned” about the alleged theft of personal data belonging to customers who had PlayStation Network accounts.
“I’ve raised the issue with the Privacy Commissioner,” he said. “The Privacy Commissioner has the power to investigate potential breaches of privacy, and may do so in response to a complaint or of his own volition. I understand the Privacy Commissioner has made enquiries with Sony, and will be opening an ‘own motion’ investigation. I don’t want to interfere with that, but it is very disappointing to me that it took Sony several days to inform its customers about the breach.”
In addition, the Minister said, Sony wasn’t alone in its problems.
“We’ve seen serious privacy-related incidents in recent months involving other large companies. All companies that collect customers’ personal information must ensure that the information is safe and secure from misuse,” he said.
Image credit: Still from Sony ad campaign