Govt may force data breach disclosure


news In a move which has been debated and rumoured within the IT security industry for years, the Federal Government this week confirmed it would seek public opinion on whether it should force organisations to disclose when their databases containing personal information had been broken into by hackers – or even inadvertently.

Currently, organisations who have customer or stakeholder information stolen are not required under privacy laws to tell customers who may have been affected by such breaches. Generally the public is only informed about such situations if the organisation concerned volunteers the information, sometimes following a standardised approach promulgated by the Australian Privacy Commissioner, or if the public is made aware of the issue through other means, such as a leak to journalists.

Such data breaches occur regularly. For example, in just the past several months, telcos iiNet and AAPT have had some of their IT systems broken into, and some customer or employee information accesses. Neither company volunteered information about the breaches until journalists contacted them with enquiries. In a wider sense, breaches have become common globally over the past several years, with one high-profile event being the theft in mid-2011 of some 77 million accounts using Sony’s online PlayStation Network.

In a statement issued yesterday, Attorney-General Nicola Roxon said it was time for a public discussion on how legislation might deal with data breaches. “Australians who transact online rightfully expect their personal information will be protected,” Roxon said. “More personal information about Australians than ever before is held online, and several high profile data breaches have shown that this information can be susceptible to hackers. The question we are asking today is should organisations be required by law to make data breach notifications when they occur?”

To canvass the issue, Roxon’s Attorney-General’s Department has issued a discussion paper on the issue, noting that mandatory data breach notification schemes are in place or currently being considered in a number of jurisdictions, including the United States, the European Union, the United Kingdom and Ireland.

The discussion paper examines such issues as what constitutes a data breach and what should trigger a notification; who should be notified (for example, the Privacy Commissioner and/or affected consumers); and what penalties might be appropriate for failing to notify those affected.

“As with other public consultation on privacy issues, the Government expects – and welcomes – a wide range of views about whether this legislation is necessary,” Roxon said.

This discussion paper follows new legislation the Government introduced into the Parliament in May that makes sure Australia’s laws keep pace with the with changing consumer and business practices, particularly in the online environment. The legislation aims to better protect people’s personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner.

To be honest, I am really kind of scared about what will happen should Australia implement a mandatory data breach notification system. Why? Because I think there will be so many breaches disclosed that we will find it hard to keep up with all the breaches being disclosed. In some senses I feel as though I don’t quite want to know how bad things really are.

Currently, we really only hear about data breaches when a major hack has occurred. Something such as the PlayStation Network breach, where millions of accounts have been compromised and the company concerned has no choice but to disclose the issue, given that it’s already being inundated with queries from affected customers who are seeing weird activity on their account, or even simply being spammed.

If this kind of data breach notification system comes into play, I anticipate that Australians would see dozens, perhaps hundreds of notifications each year. Think about how many organisations hold your data. How many marketing databases you are on. How many people send you emails of a commercial nature occasionally. All of this would most likely be subject to mandatory data breach disclosure laws.

If you doubt the seriousness of this issue, then consider the series of audit reports which have been published into the security of various state and federal government departments and agencies in Australia over the past several years. To give you one example, in June 2011, Western Australia’s auditor-general handed down a landmark report which detailed the fact that none of a wide range of government departments and agencies in the state were currently able to prevent basic cyber-attacks against their IT infrastructure — or even detect that they had taken place.

In October 2010, NSW’s auditor-general Peter Achterstraat rubbished the State Government’s IT security procedures in a report published at that time, saying the state could not guarantee to its residents that it was keeping their information secure and away from prying eyes. In the report, Achterstraat wrote that NSW had been issuing edicts about electronic information security for a decade, with agencies having been directed since at least 2001 to develop and implement security policies around how they hold personal information and certify their IT systems.

Extrapolate this situation to most governments in Australia, the myriad of councils, and the many mid-level corporations and non-profits which maintain databases on customers and stakeholders but don’t have a good level of IT skills in-house to maintain the security of their systems, and you can start to see the potential magnitude of the problem. The reality is that sensitive information is getting hacked on a daily basis throughout Australia, and that very little of it is currently being disclosed. Perhaps one percent, or even less? It’s hard to say. But I think it will be somewhat scary finding out.


  1. I disagree Renai,

    All breaches should be revealed, simply because one breach can lead to a big one.

    Especially if it’s from the same Data Center.

    • I’m with Daniel.

      The point of these types of laws is to make companies that have our information do more to protect it.
      It may well be scary to find out how often our privacy is breached but I’d rather find out who’s not looking after MY PRIVATE INFORMATION than stick my head in the sand.

  2. Renai, if organisations lack the expertise to safeguard sensitive information that customers give them, they should not be soliciting that information. Full stop.

    On a professional level, disclosure laws will force organisations to investigate and hire good expertise. Win win.

  3. As someone who works in the IT security field, personally I find this an appropriate step forward. The problem is that in general, organisations take a very reactive approach to security and this is NOT the way it should be.

    Yes, initially this may cause many occurrences to be released to the media, however the embarrassment and the degrade in trust may actually force organisations, in general, to take an active stance on security. I do not believe the current mindset is the right one in an age where breaches occur far more frequently than is ever mentioned.

    Taking the IT security hat off – as a citizen, I want to know what is breached so that I know if I have information in that place that I should change my details. This may even mean that organisations are going to be less likely to ask for more personal information – they simply won’t want to take the risk on board.

    Lastly in regards to the government, I do not necessarily agree that government agencies should be exempt entirely – perhaps are delayed response after a fix has been applied. I can understand why the government don’t want to be able to disclose breaches – it erodes the trust in government (note: not just for this current government, but for all future governments). Also if they are forced to disclose a breach prior to getting a fix, this will just raise red flags as a vulnerable source of information.

  4. Does anyone else see the juxtaposition here between data breach disclosure and retaining internet history? On the one hand the AG is trying to protect consumers privacy by providing better disclosure of breaches and holding data custodians to account and on the other hand legislating for organisations with a variety of security competence to store a treasure trove of personal information.

    Surely these initiatives are going in different directions?

  5. I have no problem with this plan at all. I think it’s a sensible idea. Consumers should have the right to know if their data has been potentially exposed. We all know companies will never do the right thing here, so forcing their hand is in the public interest.

    Not every security idea or internet regulation suggested by the Governement is automatically a bad thing. This one sounds like it would a.) force companies into being as secure and responsible with our data as possible (no one wants the bad publicity from a data breach) and b.) protect the interests of the consumer online, so if there is a breach, people have the opportunity to quickly change passwords for other accounts (if like most people they are silly enough to use shared passwords for multiple accounts) and be aware of what exactly has been exposed and when.

  6. Interesting counterpoint to the Data Retention proposals. Although, IF the data retention were to go ahead, this would go hand in hand as RSP’s would be required to disclose breaches to the data.

    I think the issue of hacking needs to be made more mainstream so companies get on top of it. Too many simply knee-jerk when something happens and otherwise let security lapse regularly. Sure, it might be scary to know how many are being hacked first off…..but I’m sure they’d fix it if it was in the media every 2 weeks….

  7. I think this is a good idea, it will force businesses to reconsider what data they record as there will be liability associated with it. Why store non essential data if you have to deal with the consequences of its exfiltration?

  8. If you are required to report every security breach you detect, then is that encouraging companies to wind back on their detection activity? If they don’t know about it, they can’t report it – but that doesn’t make the breach any less serious.

    I like the idea of mandatory reporting, but you need to be careful about the behaviour you might encourage.

  9. I don’t want to know about every breach/intrusion they may have (say for a DDoS or defacing a web site), but I sure as heck want to know about it if they think they may have accessed my data!

Comments are closed.