[LINK] Australian data breach notification law?

[stephen at melbpc.org.au]

Data in Danger
Karen Dearne MAY 01, 2007
<http://australianit.news.com.au/articles/0,7204,21633873%5E16681%5E%
5Enbv%5E,00.html>

COMPANIES may face tough new data protection rules requiring them to tell 
customers when personal records are lost or exposed, as support grows for 
a US-style mandatory data breach notification law.

Leading credit reporting provider Veda Advantage is calling on businesses 
to lead the way in applying stronger data governance standards to 
sensitive customer information held in company systems. 

Veda, formerly Baycorp Advantage, which holds data on the financial 
dealings of more than 14.5 million Australians, says there has been 
an "explosion" in the amount of personal information being captured and 
shared across organisations and national borders, creating new risks. 

"In Australia this year, digitally stored data will reach 176,000TB, with 
one terabyte equivalent to 1000 copies of the Encyclopaedia Britannica, 
and this vast mass of information now moves around the world through 
backup servers and around-the-clock facilities," Veda information 
services manager Erica Hughes says. 

"Much of this information is now networked, not locked up in Big Brother 
data banks, as we feared 20 or 30 years ago. 

"This world of information networks just wasn't foreseen by the pioneers 
who drafted the first data protection principles." 

Risks for consumers are growing, and a stronger approach is needed, 
Hughes says.  "Business needs to lead the way," she says. 

"If we don't get this right now, we will not be able to reap the benefits 
of the information revolution." 

Veda Advantage's submission to the Australian Law Reform Commission's 
privacy review recommends the introduction of voluntary standards for 
organisations handling sensitive data, which become binding upon 
adoption. 

It also recommends greater controls over the indirect collection of data 
from individuals, and a means of notifying third party collection, 
stronger rules for trans-border data flows, and the use of digital 
signatures to help people manage their own portfolio of data consents. 

"Our company now controls much more data than that directly collected 
from the public," Veda says. "These secondary relationships are not fully 
accommodated" under the Privacy Act. 

"The credit reporting network we operate is only one of the information 
networks in our economy. 

"These networks are largely hidden from the individual. 

"The current practice of information privacy does not accurately reflect 
the long-term nature of most relationships. 

"Consumers grant consents at the beginning of a transaction, but may 
subsequently have little real control over their personal information. 

"Businesses often construct that consent as broadly as possible to avoid 
later use being questioned." 

Veda says the legislation must more clearly reflect the original purpose, 
which was to permit the free flow of information while protecting 
individual privacy. 

"We submit that the best way of achieving better privacy practices is to 
provide incentives for organisations to improve their practices in 
collaboration with regulators and advocates." 

Privacy consultant and former privacy commissioner Malcolm Crompton says 
Veda's "strong and very interesting submission is certainly not way out 
there. A lot of responsible companies are thinking along these lines." 

"Microsoft, Hewlett-Packard and others have been calling for better 
privacy law in the US," he says. 

"Companies are waking up to the fact that a sensible regulatory framework 
is smarter than you'd think. 

"I'd suggest that Veda's position is extremely sensible. 

"It comes back to the saying: good privacy is good for business." 

Nigel Waters, chairman of the Australian Privacy Foundation's policy 
committee, however, rejects the good-for-business refrain in favour of 
tough action. 

"Frankly, on a risk assessment basis, local businesses would be perfectly 
entitled to take the view that privacy laws don't matter because there is 
very little downside in getting it wrong," he says. "That has to change. 

"Unfortunately, we've had seven years of the private sector trying the 
softly, softly approach and it just doesn't work. 

"It seems you need an incentive for businesses to take privacy seriously, 
and what better incentive than having to tell all your customers you've 
stuffed up." Compulsory notification of data loss or exposure has been 
flagged by Privacy Commissioner Karen Curtis in her submission to the 
ALRC review. 

Data breach notification would "provide a strong market incentive" for 
companies to properly secure databases containing consumer information, 
she says. 

This approach derives from the US, where more than 30 states have passed 
laws requiring businesses to tell individuals about security breaches 
since California passed its law in July 2005. 

The numbers are truly terrifying. According to a log kept by the Privacy 
Rights Clearinghouse, the number of records breached since January 2005 
passed the 100 million mark in early December. 

Last week, the total had jumped to almost 154 million exposures. Since 
many data breaches are not reported, the real numbers are likely to be 
even greater. 

Malcolm Crompton says the clearinghouse log shows evidence of some very 
sloppy information handling practices. 

Worryingly, there is no evidence as to whether Australia is doing better 
or worse. 

"We literally don't know the equivalent data here because there is no law 
requiring disclosure." 

However, Crompton thinks there's little doubt the ALRC will be 
considering a data breach notification law.

"The California law has been the only new piece of thinking on privacy 
legal frameworks in a very long time, and it's having a remarkable 
impact," he says.

"The European data commissioner has proposed such a law, while in Britain 
the banking regulator has just busted a building society, Nationwide, for 
a security breach. 

"People all over are looking at the American experiment, and thinking 
they had better do that too," he says. 

In February, Britain's Financial Services Authority fined Nationwide 
£980,000 ($2.36 million) following the theft of a laptop from the home of 
an employee. 

The authority's investigation found that the building society didn't have 
adequate data security in place, putting at risk confidential information 
on about 11 million customers. 

Crompton notes that it's interesting that the City watchdog, rather than 
the information commissioner, took action in this case. 

"The FSA has managed to find something in the banking laws to say that 
the company should have told its customers," he says. 

"Using existing laws to begin to say data breach notifications should 
happen is a big new development globally." 

Meanwhile, Britain's Information Commissioner's Office is supporting 
compensation for individuals who have suffered damage as a result of data 
breaches. The office's deputy commissioner, David Smith, recently 
released guidelines on making a compensation claim against an 
organisation that has breached the Data Protection Act and on taking the 
matter to court if necessary. 

In Canada, the Internet Policy and Public Interest Clinic has called for 
mandatory notification of security breaches. 

In a white paper it says: "Breach notification laws clearly provide 
organisations with an incentive to prevent breaches if they know that 
such breaches will carry significant costs for reporting and as a result 
of negative publicity. Conversely, the ability to cover up data security 
breaches simply encourages complacency and rewards incompetence." 

Failure to warn individuals of the potential for identity fraud is 
probably negligent, the white paper says. 

Nigel Waters says the authority is hopeful that notification laws will 
help to hold businesses accountable - a substitute for enforcement in the 
absence of muscle from the privacy commissioner. 

When the private sector laws were introduced, the commissioner regularly 
audited firms to monitor and advise on data handling practices, but the 
program was dropped because of a shortage of resources. 

"Basically, we've given up on the commissioner taking an active 
enforcement role," Waters says. "At the moment, unless somebody happens 
to be affected and thinks about complaining, there's no way for breaches 
to come to light. 

"The complaints experience is such that people don't bother to complain 
any more because they know it's going to take so long. 

"Even if the complaint does finally rise to the top of the pile, all that 
happens is a mild slap on the wrist." 

Malcolm Crompton has a more optimistic view of business behaviour. 

"We'll see new ways of doing things," he says. 

"The traditional model left everything in the hands of the privacy 
commissioner. 

"If you think about the equivalent role in finances, we don't have the 
Australian auditor-general auditing all companies. 

"Each company is required to find its own auditor who meets accredited 
standards. 

"So perhaps we may see auditors, or other trust agents, appointed to tick 
off companies to ensure they're meeting regulatory requirements for data."

The Australian 
--

Cheers all ..
Stephen Loosley
Victoria, Australia