First raised as a recommendation by the Australian Law Reform Commission (ALRC) in 2008, data breach-notification laws have been seen as a way to hold businesses accountable for lax security practices that can profoundly affect the lives of consumers and the viability of businesses themselves. However, opponents say that such laws amount to too much regulation and government overhead and cost, and they advocate a voluntary approach to reporting that will encourage peer-level oversight instead. The AG’s office has issued a discussion paper in order to consider both sides of the argument, and will be accepting comment submissions until Nov. 23, 2012.
“Rapid advances in technology have changed the way we work, bank and shop, the way people engage with government, and the way we relate to friends, family and people we’ve never even met,” said Nicola Roxon, MP, Attorney-General and Minister for Emergency Management, in a public letter introducing the discussion. “We are providing more personal information that ever before to government agencies and companies, both in Australia and overseas, and this information is susceptible to hackers and other types of security breaches.”
She added, “It is therefore timely to consider whether our existing privacy framework is adequate in encouraging entities to take the right steps in the event of a data breach, and in allowing individuals to mitigate the adverse effects of such a breach.”
At the center of the debate is the basic question of whether Australia needs breach-notification legislation, and if it will have the desired mitigation effect. But there is much to weigh beyond the central premise, such as, what are the “trigger levels” that would require reporting, i.e., will consumers or the business need to be actually adversely affected by a breach in order for the law to apply? How widespread of an issue will the event need to be in order to trigger the reporting requirement—should minor breaches count? How is severity of a breach to be quantified—by number of records compromised? And which types of businesses would the laws apply to? Should law enforcement be exempt if announcing a breach could interfere with an active investigation?
Another issue to weigh is who would have oversight of the area, and whether the law should require notification to affected parties, some sort of oversight agency like the Privacy Commission, or both. Also, are there parameters for how quickly victims should be notified once a breach has been discovered? And then there is of course the issue of penalties—if they should exist, and how punitive they should be.
Australia’s examination of the issue is timely: data breaches are increasing in size and scope. The AG cites a benchmarking study from Ponemon Institute and Symantec, which found that up to 88% of organizations surveyed have had at least one data breach during the course of a year. The same report also found that the cost of notification and rectification is also increasing, with costs ranging between $174 to $268 per information record breached in the US.
The Office of the Australian Information Commissioner (OAIC) was notified of 56 data breaches in
the 2010/2011 financial year, equivalent to one data breach a week. This is up from 44 in the previous year, an increase of 27%. The Privacy Commissioner also opened 59 investigations in to breaches of which there was no notification to the OAIC.