Head to head: Do we really need compulsory data leakage disclosure laws?

Trends and developments in the US often provide an insight into possible changes on local shores. A current burning issue centres around data disclosure laws, which have been widely enforced in the US.

Last month, The Australian Law Reform Commission (ALRC) released a blueprint with 301 proposals for overhauling Australia’s complex and costly privacy laws and practices.

David Weisbrot, president of the ALRC said it was the product of the largest public consultation process in ALRC history.

“We have received over 300 submissions and held over 170 meetings to date with business, consumers, young people, health officials, technology experts and privacy advocates and regulators.

“The clearest message from the community is that we must streamline our unnecessarily complex system. The federal Privacy Act sets out different principles for private organisations and for government agencies. On top of that, each state and territory has its own privacy laws or guidelines and some also have separate laws on health privacy,” he said.

Weisbrot added that the ALRC is proposing there be a single set of privacy principles for information-handling across all sectors and all levels of government. This aims to make it easier and less expensive for organisations to comply, and much more simple for people to understand their rights.

The office of the privacy commissioner was quick to back the ALRC paper.

“The ALRC review is an important process for ensuring that Australians continue to receive a high level of privacy protection in coming years,” said Karen Curtis, The Privacy Commissioner.

Curtis said her office will be assessing the 1,983-page discussion paper to see the extent to which it addresses the issues the Office raised in its submissions to the ALRC, and will be commenting on any new issues and proposals that have
been raised.

We ask our industry experts: Does Australia need compulsory data leakage disclosure laws?

Joel Camissar
Country manager for A/NZ at Websense:
When it comes to data leakage, sensationalism has been the order of the day in the mainstream and trade press, with a continued popular emphasis on the threat posed by USB devices such as memory sticks and hardware keyloggers.

There is no denying the seriousness of the data leakage problem. Last year, according to a Ponemon Institute Customer Trust
Survey, companies that suffer a breach of only 100,000 records containing personally identifiable information can expect to lose almost one third of those customers for good and suffer total financial damages of about US$23million. These figures do not include indirect costs that result from critical media coverage and public exposure.

California has had strict data leakage laws in place for years, but Australia’s Privacy Act does not have enough “teeth”. Company directors in Australia are not held liable for data breaches and corporations are under no legal requirement to inform customers either if this occurs.

In my conversations with chief information security officers in Australian companies, there is widespread understanding over the importance of data leakage prevention. Many are dipping their toes in the water to understand what is out there in the market. However, most need to develop a better understanding of the laws.

I say bring on strong data leakage laws in Australia and we’ll all be more secure in the process.

Nick Verykios
Marketing director of Distribution Central:
In practice, “data-leakage disclosure” could be considered an oxymoron. Analysts in the US suggest, through their CSO surveys, that most are not confident their organisations would detect physical data leakage as opposed to logical or IT based data leakage. If you don’t know about the leakage, how can you disclose it? Until the leakage effects your organisation (which is when you find out about it) and by then it’s too late to effectively disclose.

The whole process needs to be thought of as electronic data leakage, as physical data leakage can not be controlled and remedied in the same legal framework. Legislation would support the need for disclosure, not curb the incidence of data leakage.

Technology is available, and policies can be developed around the capabilities of these technologies to prevent good workers from doing bad things. Data leakage is no exception. But anyone can pick up a piece of paper with sensitive data on it and walk out the door.

It does make sense for corporate policy to specify how sensitive data has to be handled (stored and protected). Legislation exists for disclosure of leaked data that falls under privacy laws (personal records, financial records, credit card info etc). The issue is to whom such info should be disclosed.

Regular security audits could give companies a “get-out-of-jail free card” if certain procedures are followed and precautions are deemed adequate, although breaches must still be notified to involved parties. Toothless legislation.