news In a move which has been debated and rumoured within the IT security industry for years, the Federal Government this week confirmed it would seek public opinion on whether it should force organisations to disclose when their databases containing personal information had been broken into by hackers – or even inadvertently.
Currently, organisations who have customer or stakeholder information stolen are not required under privacy laws to tell customers who may have been affected by such breaches. Generally the public is only informed about such situations if the organisation concerned volunteers the information, sometimes following a standardised approach promulgated by the Australian Privacy Commissioner, or if the public is made aware of the issue through other means, such as a leak to journalists.
Such data breaches occur regularly. For example, in just the past several months, telcos iiNet and AAPT have had some of their IT systems broken into, and some customer or employee information accesses. Neither company volunteered information about the breaches until journalists contacted them with enquiries. In a wider sense, breaches have become common globally over the past several years, with one high-profile event being the theft in mid-2011 of some 77 million accounts using Sony’s online PlayStation Network.
In a statement issued yesterday, Attorney-General Nicola Roxon said it was time for a public discussion on how legislation might deal with data breaches. “Australians who transact online rightfully expect their personal information will be protected,” Roxon said. “More personal information about Australians than ever before is held online, and several high profile data breaches have shown that this information can be susceptible to hackers. The question we are asking today is should organisations be required by law to make data breach notifications when they occur?”
To canvass the issue, Roxon’s Attorney-General’s Department has issued a discussion paper on the issue, noting that mandatory data breach notification schemes are in place or currently being considered in a number of jurisdictions, including the United States, the European Union, the United Kingdom and Ireland.
The discussion paper examines such issues as what constitutes a data breach and what should trigger a notification; who should be notified (for example, the Privacy Commissioner and/or affected consumers); and what penalties might be appropriate for failing to notify those affected.
“As with other public consultation on privacy issues, the Government expects – and welcomes – a wide range of views about whether this legislation is necessary,” Roxon said.
This discussion paper follows new legislation the Government introduced into the Parliament in May that makes sure Australia’s laws keep pace with the with changing consumer and business practices, particularly in the online environment. The legislation aims to better protect people’s personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner.
To be honest, I am really kind of scared about what will happen should Australia implement a mandatory data breach notification system. Why? Because I think there will be so many breaches disclosed that we will find it hard to keep up with all the breaches being disclosed. In some senses I feel as though I don’t quite want to know how bad things really are.
Currently, we really only hear about data breaches when a major hack has occurred. Something such as the PlayStation Network breach, where millions of accounts have been compromised and the company concerned has no choice but to disclose the issue, given that it’s already being inundated with queries from affected customers who are seeing weird activity on their account, or even simply being spammed.
If this kind of data breach notification system comes into play, I anticipate that Australians would see dozens, perhaps hundreds of notifications each year. Think about how many organisations hold your data. How many marketing databases you are on. How many people send you emails of a commercial nature occasionally. All of this would most likely be subject to mandatory data breach disclosure laws.
If you doubt the seriousness of this issue, then consider the series of audit reports which have been published into the security of various state and federal government departments and agencies in Australia over the past several years. To give you one example, in June 2011, Western Australia’s auditor-general handed down a landmark report which detailed the fact that none of a wide range of government departments and agencies in the state were currently able to prevent basic cyber-attacks against their IT infrastructure — or even detect that they had taken place.
In October 2010, NSW’s auditor-general Peter Achterstraat rubbished the State Government’s IT security procedures in a report published at that time, saying the state could not guarantee to its residents that it was keeping their information secure and away from prying eyes. In the report, Achterstraat wrote that NSW had been issuing edicts about electronic information security for a decade, with agencies having been directed since at least 2001 to develop and implement security policies around how they hold personal information and certify their IT systems.
Extrapolate this situation to most governments in Australia, the myriad of councils, and the many mid-level corporations and non-profits which maintain databases on customers and stakeholders but don’t have a good level of IT skills in-house to maintain the security of their systems, and you can start to see the potential magnitude of the problem. The reality is that sensitive information is getting hacked on a daily basis throughout Australia, and that very little of it is currently being disclosed. Perhaps one percent, or even less? It’s hard to say. But I think it will be somewhat scary finding out.