Companies would be required to notify customers if the security of their personal information was compromised under proposals released for discussion by the Gillard government today.
Currently, organisations are encouraged to disclose data breaches to the Commonwealth Privacy Commissioner, but are not obliged to do so.
Attorney-General Nicola Roxon this morning released a discussion paper to seek comment on whether organisations should be required to report breaches, what kind of breaches should have to be reported, who should be notified, and what penalties should apply for failure to comply.
"Australians who transact online rightfully expect their personal information will be protected," Ms Roxon said.
"More personal information about Australians than ever before is held online, and several high-profile data breaches have shown that this information can be susceptible to hackers."
In April last year, hackers accessed the accounts of more than 100 million users of Sony's PlayStation Network and Qriocity entertainment services. Last December, the details of 800,000 Telstra customers were found on an unprotected website.
These breaches are in addition to the University of Sydney, ANZ, Westfield, tech giant Dell, South Australian government-owned medical company Medvet, gaming behemoth Valve, web host and domain name company Distribute.IT, First State Super, Computershare and Vodafone all exposing customers' personal information.
The release of the discussion paper comes more than four years after the Australian Law Reform Commission (ARLC) concluded a 28-month inquiry into the effectiveness of the Privacy Act, which recommended that government introduce mandatory data breach notification laws which force companies to reveal breaches.
It also comes after one of the world's most infamous computer hackers, Kevin Mitnick, told Fairfax Media in an article published in August this year that the Australian government's inaction on data breach laws meant scores of privacy disasters were going under the radar. "The only reason that [companies in the US] come forward [now] is because the laws now require it," Mitnick said.
Privacy Commissioner Timothy Pilgrim said he had received 15 voluntary breach notifications from organisations this financial year so far, and had initiated seven investigations of other breaches. Last financial year his office received 46 voluntary notifications and launched 37 investigations into other breaches.
Mr Pilgrim said because organisations were not currently required to report breaches, it was impossible to know how common it was for data to be compromised, for example by being accessed by hackers, through the loss of computer equipment or through negligent or improper disclosure.
Mr Pilgrim said notifications could give customers the opportunity to reduce the impact of the security breach on them, for example by cancelling credit cards or changing account passwords, and could also improve public confidence in the handling of their information.
Security analyst James Turner, of IBRS, believed the introduction of data breach notification laws was an important stage "in our maturity as a society that's increasingly relying on interconnected computer systems".
But he warned of some of the fatigue issues the US faced when it introduced the laws in certain states and said the challenge for government was going to be in "defining what a breach is".
"It's becoming a running joke now about people who are getting this constant stream of letters in their letterbox telling them that their data has been compromised," Mr Turner said.
Mr Turner added that Australians would "genuinely be shocked" by the magnitude of breaches in Australia if data breach notifications laws were introduced.
"I would expect that when [data] breach notification [law] comes through that we're going to suddenly discover that there is a lot of stuff happening that we didn't know about before," Mr Turner said.
Paul Ducklin, of security firm Sophos, said he believed it had taken too long for government to announce any action on data breach laws.
"I thought it was a good idea back in 2008 [and] I've been publicly calling for it for a while now," he said.
On the fatigue issue, he said the best way to fix it was via companies preventing data breaches from occurring in the first place.
Chris Gatford, of security firm Hacklabs, agreed that it had taken too long for laws to be proposed in Australia.
"We are one of the last western society's not holding organisations to account when they lose personally identifiable information of customers, employees or citizens," Mr Gatford said.
He said jurisdictions that had mandatory data breach notifications laws were more security aware. "We have noted this difference quite considerably on our Australian versus international customers," Mr Gatford said.
"We see evidence of hundreds [of data breaches] a quarter [in Australia] and aren't really looking that hard," he said. "I would estimate tens of thousands."
Ty Miller, of security firm Pure Hacking, said 99 per cent of organisations his company performed data breach investigations for in Australia did not disclose the breaches. This was because "it would have a negative impact on their brand and bottom line", he said.
"Data breach notification laws may negatively impact businesses who become compromised since brand damage will occur if the information is made public. This may lead to more small to medium sized businesses folding after a security breach."
Despite this, he said such laws would enable both consumers and business owners to gain a realistic picture of the large number of security breaches that were occurring in Australia.
In 2008, the ALRC recommended organisations be required to notify people whose privacy had been infringed, where the breach caused a "real risk of serious harm". Notification would not be required if it would compromise a criminal investigation or was determined by the regulator to be contrary to the public interest, the ALRC said, and civil penalties, including financial ones, should apply to organisations that failed to make the required notifications.
In the US, almost all states have data breach laws and Congress is considering national proposals. In the European Union, only electronic communications providers such as telecommunications firms are required to notify regulators and customers of breaches. It is considering wider proposals that would cover all sectors.
Submissions in reply to the Australian discussion paper are sought by November 23. Follow IT Pro on Twitter
Favourites