Can data breach notification laws survive the election?

Read the original article on The Australian

Read the article below

The Privacy Alerts Bill 2013 missed the cut during the last Senate sitting day and that means that the proposed move to make companies more responsible with customer data, sits in a legal limbo for now.

This bill was intended to introduce a regime for data breach reporting and support the Privacy Amendment (Enhancing Privacy Protection) Act 2012 which introduced a number of significant changes to the Privacy Act,  including the updated Australian Privacy Principles. The eventual fate of the endeavour will become a little clearer after the federal election, however, there are fears that a Coalition win could consign a mandatory data breach regime to obscurity.

While a parliamentary committee that reviewed the legislation recommended that the Privacy Alerts Bill 2013  be unconditionally supported there was some dissent from the Coalition members of the committee.

Many expressed concerns with the bill and indicated in an addendum to the committee report, that there was a “lack of due process and time for scrutiny”. They also failed to provide guidance on specific concerns and this means the Coalition’s position on the bill is unclear.

Big business angst

The Coalition has indicated that it will look to introduce a data breach notification bill if it wins government but can it withstand the business campaign against the bill?

The Greens, who are likely to hold the balance of power in the Senate, have adopted the view expressed by the Australian Communications Consumer Action Network (ACCAN) CEO Teresa Corbin who says that “consumers have a right to be informed when companies lose or misuse their data and ACCAN does not believe such notifications would be difficult to provide.”

It is unclear whether provisions for organisations to be fined for repeated data breach offenses will make the final legislation with business lobbyists arguing against the move to introduce compulsory data breach notification laws.

The Association of Data-driven Marketing & Advertising (ADMA) CEO Josie Sangster was reportedly against the legislation because it’s being “rushed through”. Sangster’s argument is that the notification regulation “comes at a time when businesses large and small are already grappling with the most extensive changes to privacy legislation seen in the last 10 years, and now the government intends to impose yet more legislation without even considering the impact on business.”

Watered down regime to begin with

However, one can easily argue that Sangster doth protest too much.

The bill in its current form would not introduce mandatory data breach reporting, but a watered down regime where data breaches are to be reported if a data breach might cause ‘a real risk of serious harm’. What is not clear is who would determine if a data breach should be reported and this leads to the suggestion that business will fail to report data breaches which is the current situation.

The bill had other flaws as well, including a failure to introduce a minimum security requirement which means that organisations could adopt a ‘head in the sand’ approach and purchase infrastructure that does not have intrusion detection and security monitoring.

The only positive in the bill was the move to strengthen the reporting requirements through regulation which would be used to specify what needs to be reported. The problem with this approach is that regulation is open to interpretation and this is not what is needed now.

A key reason for mandatory data breach reporting is the need to establish how many data breaches occur each year and which organisations are being targeted and breached.

Value in putting customers first

Businesses are learning that the digital network brings with it many benefits, however, business has been slow to accept that the benefits come with costs, and that includes the cost of securing customer information. Big business needs to get its collective head out of the sand and start realising the value in putting customer information security before profits.

Australia has been slow to adopt laws that would penalise organisations for repeated data breaches and it was anticipated that the penalties included in the Privacy Alerts Bill 2013 would go a long way to rectify this.

Government agencies should work with business to develop a minimum security standard and adopt this as a best practice policy. The best practice policy should include a standardised approach for dealing with hackers and with malware that has been introduced within an organisation which adopts BYOD or by USBs plugged into a computer within the organisation.

Businesses will be well served by the introduction of a security and privacy committee, refocus their activities and put the privacy and security committee at the centre - not at the periphery where its key message can be ignored.

Customer information security is a significant issue that is now in purgatory of sorts, at least until after the next election. Labor’s position is clear so it’s up to the shadow communications minister Malcolm Turnbull to provide the Coalition’s position before the election.

Mark Gregory is a member of a RMIT University team in receipt of a current ACCAN grant related to the Warrnambool Telstra exchange fire.