Strict US laws governing online security and privacy may soon find their equivalent in Australia as more cases emerge of consumer information being misappropriated, according to Nick Abrahams, partner and head of the technology, media and telecommunications group with law firm Deacons.
The issue was highlighted recently when the Guess Jeans company was sued for damages after hackers stole customer names, email addresses and other information, despite the company’s assurances that the information was protected.
Although such breaches are mainly isolated to the US, Abrahams believes that it will not be too long before Australian companies and law makers will have to acquaint themselves with some of the harsher realities of the online world.
Important for Australian technology companies, for instance, is understanding their exposure to damages claims from their customers in the event of security failures.
"If a company like Guess Jeans gets sued then you can rest assured it would look to whoever provided their technology to seek compensation there," Abrahams says.
While many IT-related security problems are assumed to fall under the Privacy Act, it is the Trade Practices Act that can deliver the most financially damaging results for companies that fail in their responsibilities.
"People can sue under the Trade Practices Act and get loads of money, whereas there’s not so much money to be gained under the Privacy Act," Abrahams says. He adds that there is a ‘gaping hole’ when it comes to companies’ knowledge of the legal implications of what is on their corporate website.
Laws relating to the internet and electronic transactions are often vague and present some very complex issues for governments, businesses and consumers alike.Yet at the core Abrahams explains are two basic principles: the obligation to reliably establish a person’s identity and the obligation to maintain information in a secure manner.
While Australia is yet to embrace serious punitive measures for IT security breaches, many of our larger financial institutions are already bound by the US legislation Sarbanes-Oxley, which states that company directors are directly accountable for establishing proper security policies.
"This legislation does cover most Australian financial institutions -- if you want to raise money in US you have to comply with Sarbanes-Oxley," Abrahams says.
The other major piece of IT security information currently in use is California’s Database Breach Notification Act, which requires that companies disclose when their systems have been compromised by hackers, viruses or other outbreaks. Its effect has been to ram home to company directors the importance of maintaining adequate levels of IT security so as to avoid embarrassment, or worse, major damages claims.
"That’s a pretty aggressive piece of legislation, which we may see in Australia some time," Abrahams says.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
