AG backs mandatory data breach laws

By on
AG backs mandatory data breach laws

Attorney-General Mark Dreyfus has backed plans to introduce a mandatory data breach notification scheme in Australia.

The scheme was recommended by the Australian Law Reform Commission in 2008. It will require companies to inform the public whenever customers' personal information is compromised.

Former Attorney-General Nicola Roxon introduced a discussion paper on the topic last October, seeking feedback on what should trigger notification, who should be notified and which organisations should be subject to the regime.

Dreyfus said today the Government would engage in a 'small amount' of further talks with key stakeholders before deciding whether to implement such a system.

Speaking today at the launch of the 2012 Privacy Awareness Week, Dreyfus said any government agencies and organisations suffering a data breach should provide timely advice to affected parties.

He said the growing amount of breaches reported in the media continued to raise community concerns about the need for a mandatory scheme. 

“If there continues to be under reporting of data breaches, or we continue to find out about them only through media reports, some would argue there is a strong case to move to a mandatory scheme,” he said.

Dreyfus cited a 2012 report by Canberra University's Centre for Internet Safety which found a majority of Australians supported data breach notifications.

"I believe government agencies or companies that suffer a data breach should provide timely advice to those who have or could have had their privacy infringed, and that seems to be the view of many Australians."

He highlighted recent breaches at the likes of the ABC, Telstra, Medvet and Sony Playstation as cases for a mandatory scheme.

“While I am an optimist, I do not anticipate we have yet seen the end of these types of breaches. A mandatory notification requirements may also act as an incentive for holders of information to secure it," he said.

“The Government is carefully considering what has emerged from consultation and we’ll engage in a little bit more consultation before deciding which option we’re going to pursue.”

He did not give a timeframe for any potential legislative changes. The Attorney General's department has been contacted for further comment.

Privacy Commissioner Timothy Pilgrim also called for mandatory notification, warning that attacks like those leading to the recent arrest of Sydney-based alleged LulzSec hacker Matthew Flannery would continue, putting Australians' personal information at risk.

“In 2011/12, the OAIC [Office of the Australian Information Commissioner] received 1357 privacy complaints; that was an increase of 11 percent on the previous year," he said.

"Not surprisingly, data security was one of the top four reasons for most complaints against the private sector, and featured prominently in the majority of our own investigations."

In its response to Roxon's October 2012 discussion paper, the OAIC stated that Australia's existing voluntary data breach notification arrangements were insufficient.

The OAIC recommended:

  • that notification occur when a breach gives rise to a ‘real risk of serious harm’ to an individual;
  • that a ‘catch-all’ test should apply to a range of circumstances; and
  • that a notification should include the type of personal information involved in the breach, the context of the information and the breach, and the case and extent of the breach and the risk of harm.

It also suggested the notification should include an incident description and the organisation’s response to the breach.

Pilgrim said the OAIC should have the power to compel notification and impose civil penalties on those who fail to comply.

Privacy reforms

The new Privacy Act 2012 will come into effect in March 2014. Changes to the 24-year-old Act include 13 new privacy principles which cover both private and public sectors, called Australian Privacy Principles (APPs).

The APPs replace the existing Information Privacy Principles (IPPs) for the public sector and National Privacy Principles (NPPs) which apply to the private sector.

Additionally, the Privacy Commissioner will benefit from increased powers including the ability to accept enforceable undertakings; seek civil penalties; and conduct performance assessments of privacy performance for government agencies and businesses.

Credit reporting laws will also change under the new Act. New features include: more comprehensive reporting; a simplified complaints process; prohibition on reporting of credit information about children and defaults less than $150; specific rules dealing with pre-screening of credit offers and an individual’s ability to freeze access to credit-related personal information in cases of suspected identity theft/ fraud; and civil penalties for breaches of certain provisions.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
data breach dreyfus attorney hacking mandatory data breach notification pilgrim mark privacy commissioner security timothy

Partner Content

Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Tech For Good program gives purpose and strong business outcomes
Tech For Good program gives purpose and strong business outcomes
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security
MSPs pressed to review ransomware response as new reporting rules commence

MSPs pressed to review ransomware response as new reporting rules commence
AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report

Log in

Email:
Password:
  |  Forgot your password?