[LINK] Australian data breach notification law?
stephen at melbpc.org.au
stephen at melbpc.org.au
Wed May 2 23:37:03 AEST 2007
Data in Danger
Karen Dearne MAY 01, 2007
<http://australianit.news.com.au/articles/0,7204,21633873%5E16681%5E%
5Enbv%5E,00.html>
COMPANIES may face tough new data protection rules requiring them to tell
customers when personal records are lost or exposed, as support grows for
a US-style mandatory data breach notification law.
Leading credit reporting provider Veda Advantage is calling on businesses
to lead the way in applying stronger data governance standards to
sensitive customer information held in company systems.
Veda, formerly Baycorp Advantage, which holds data on the financial
dealings of more than 14.5 million Australians, says there has been
an "explosion" in the amount of personal information being captured and
shared across organisations and national borders, creating new risks.
"In Australia this year, digitally stored data will reach 176,000TB, with
one terabyte equivalent to 1000 copies of the Encyclopaedia Britannica,
and this vast mass of information now moves around the world through
backup servers and around-the-clock facilities," Veda information
services manager Erica Hughes says.
"Much of this information is now networked, not locked up in Big Brother
data banks, as we feared 20 or 30 years ago.
"This world of information networks just wasn't foreseen by the pioneers
who drafted the first data protection principles."
Risks for consumers are growing, and a stronger approach is needed,
Hughes says. "Business needs to lead the way," she says.
"If we don't get this right now, we will not be able to reap the benefits
of the information revolution."
Veda Advantage's submission to the Australian Law Reform Commission's
privacy review recommends the introduction of voluntary standards for
organisations handling sensitive data, which become binding upon
adoption.
It also recommends greater controls over the indirect collection of data
from individuals, and a means of notifying third party collection,
stronger rules for trans-border data flows, and the use of digital
signatures to help people manage their own portfolio of data consents.
"Our company now controls much more data than that directly collected
from the public," Veda says. "These secondary relationships are not fully
accommodated" under the Privacy Act.
"The credit reporting network we operate is only one of the information
networks in our economy.
"These networks are largely hidden from the individual.
"The current practice of information privacy does not accurately reflect
the long-term nature of most relationships.
"Consumers grant consents at the beginning of a transaction, but may
subsequently have little real control over their personal information.
"Businesses often construct that consent as broadly as possible to avoid
later use being questioned."
Veda says the legislation must more clearly reflect the original purpose,
which was to permit the free flow of information while protecting
individual privacy.
"We submit that the best way of achieving better privacy practices is to
provide incentives for organisations to improve their practices in
collaboration with regulators and advocates."
Privacy consultant and former privacy commissioner Malcolm Crompton says
Veda's "strong and very interesting submission is certainly not way out
there. A lot of responsible companies are thinking along these lines."
"Microsoft, Hewlett-Packard and others have been calling for better
privacy law in the US," he says.
"Companies are waking up to the fact that a sensible regulatory framework
is smarter than you'd think.
"I'd suggest that Veda's position is extremely sensible.
"It comes back to the saying: good privacy is good for business."
Nigel Waters, chairman of the Australian Privacy Foundation's policy
committee, however, rejects the good-for-business refrain in favour of
tough action.
"Frankly, on a risk assessment basis, local businesses would be perfectly
entitled to take the view that privacy laws don't matter because there is
very little downside in getting it wrong," he says. "That has to change.
"Unfortunately, we've had seven years of the private sector trying the
softly, softly approach and it just doesn't work.
"It seems you need an incentive for businesses to take privacy seriously,
and what better incentive than having to tell all your customers you've
stuffed up." Compulsory notification of data loss or exposure has been
flagged by Privacy Commissioner Karen Curtis in her submission to the
ALRC review.
Data breach notification would "provide a strong market incentive" for
companies to properly secure databases containing consumer information,
she says.
This approach derives from the US, where more than 30 states have passed
laws requiring businesses to tell individuals about security breaches
since California passed its law in July 2005.
The numbers are truly terrifying. According to a log kept by the Privacy
Rights Clearinghouse, the number of records breached since January 2005
passed the 100 million mark in early December.
Last week, the total had jumped to almost 154 million exposures. Since
many data breaches are not reported, the real numbers are likely to be
even greater.
Malcolm Crompton says the clearinghouse log shows evidence of some very
sloppy information handling practices.
Worryingly, there is no evidence as to whether Australia is doing better
or worse.
"We literally don't know the equivalent data here because there is no law
requiring disclosure."
However, Crompton thinks there's little doubt the ALRC will be
considering a data breach notification law.
"The California law has been the only new piece of thinking on privacy
legal frameworks in a very long time, and it's having a remarkable
impact," he says.
"The European data commissioner has proposed such a law, while in Britain
the banking regulator has just busted a building society, Nationwide, for
a security breach.
"People all over are looking at the American experiment, and thinking
they had better do that too," he says.
In February, Britain's Financial Services Authority fined Nationwide
£980,000 ($2.36 million) following the theft of a laptop from the home of
an employee.
The authority's investigation found that the building society didn't have
adequate data security in place, putting at risk confidential information
on about 11 million customers.
Crompton notes that it's interesting that the City watchdog, rather than
the information commissioner, took action in this case.
"The FSA has managed to find something in the banking laws to say that
the company should have told its customers," he says.
"Using existing laws to begin to say data breach notifications should
happen is a big new development globally."
Meanwhile, Britain's Information Commissioner's Office is supporting
compensation for individuals who have suffered damage as a result of data
breaches. The office's deputy commissioner, David Smith, recently
released guidelines on making a compensation claim against an
organisation that has breached the Data Protection Act and on taking the
matter to court if necessary.
In Canada, the Internet Policy and Public Interest Clinic has called for
mandatory notification of security breaches.
In a white paper it says: "Breach notification laws clearly provide
organisations with an incentive to prevent breaches if they know that
such breaches will carry significant costs for reporting and as a result
of negative publicity. Conversely, the ability to cover up data security
breaches simply encourages complacency and rewards incompetence."
Failure to warn individuals of the potential for identity fraud is
probably negligent, the white paper says.
Nigel Waters says the authority is hopeful that notification laws will
help to hold businesses accountable - a substitute for enforcement in the
absence of muscle from the privacy commissioner.
When the private sector laws were introduced, the commissioner regularly
audited firms to monitor and advise on data handling practices, but the
program was dropped because of a shortage of resources.
"Basically, we've given up on the commissioner taking an active
enforcement role," Waters says. "At the moment, unless somebody happens
to be affected and thinks about complaining, there's no way for breaches
to come to light.
"The complaints experience is such that people don't bother to complain
any more because they know it's going to take so long.
"Even if the complaint does finally rise to the top of the pile, all that
happens is a mild slap on the wrist."
Malcolm Crompton has a more optimistic view of business behaviour.
"We'll see new ways of doing things," he says.
"The traditional model left everything in the hands of the privacy
commissioner.
"If you think about the equivalent role in finances, we don't have the
Australian auditor-general auditing all companies.
"Each company is required to find its own auditor who meets accredited
standards.
"So perhaps we may see auditors, or other trust agents, appointed to tick
off companies to ensure they're meeting regulatory requirements for data."
The Australian
--
Cheers all ..
Stephen Loosley
Victoria, Australia
More information about the Link
mailing list