Govt finally introduces data breach laws

blog Those of you who work in the IT security field might want to pay attention to this. In the past, there hasn’t been a huge onus on organisations which suffered security breaches that resulted in sensitive data exiting the building to disclose those breaches. It was … usually kind of OK to just keep quiet about the leak, and try and plug the hole. Fortunately for consumers affected by this kind of thing, this is no longer the case. If your organisation suffers a major data breach, you’re now going to be required to tell affected stakeholders about it. The media release issued this week on the issue by Attorney-General Mark Dreyfus:

New laws to be introduced in Parliament tomorrow will require businesses and government agencies to notify people when a data breach affecting their privacy occurs.

“With businesses and government agencies holding more information about Australians than ever before, it is essential that privacy is safeguarded,” Attorney-General Mark Dreyfus QC said. “The new laws will alert consumers to breaches of their privacy, so that they can change passwords, improve security settings and make other changes as they see fit.”

Data breaches can be the result of hacking, poor security and sometimes carelessness. “Some data breaches have exposed the personal information of tens of thousands of Australians,” Mr Dreyfus said. “The laws are good for consumers because they protect privacy, and are good for business because they will help create openness and trust.”

The new laws will also require notification of data breaches to the Office of the Australian Information Commissioner.

“To make sure that the new laws have teeth, the Information Commissioner will be able to direct agencies and business to notify individuals of data breaches,” Mr Dreyfus said. “Last year the Government made the biggest changes to the Privacy Act 1988 since it began in 1989. The Government is serious about privacy and these new laws demonstrate our continuing commitment.”

The laws will apply to all entities covered by the Privacy Act 1988 including many businesses, but they will not impose an unreasonable burden on business. The notification requirements do not apply to all data breaches, only breaches that give rise to a risk of serious harm. The Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements.

From your writer’s point of view, this is a necessary law. If an organisation has had a substantial data leak, those affected should be informed of that leak. Large Australian organisations may not be too happy about having to disclose this kind of stuff, but that’s kind of the burden of responsibility for holding sensitive data in the first place. You screw up, now you have to ‘fess up. Fair?