Mandatory data breach notification Bill before Parliament
The Attorney-General has put before Parliament a mandatory data breach notification bill, which will require businesses and government agencies to notify people when a data breach affecting their privacy occurs. In our view this long overdue legislation is imperative to protect individuals who have their personal information unsecured in some way. This will allow those individuals affected to take swift steps to secure their own records and personal information from identity crime. We look at why these laws are so important and how a data breach can impact a person’s credit file.
By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.
Remember when Sony was hacked? Thousands of Sony Australia customers were kept in the dark about it for some time – and there wasn’t a thing our Privacy Commissioner could do after the fact, due to there being no legal requirement in Australia on businesses or other entities to notify individuals when a data breach in their business could impact their personal information.
Events like that – along with a long list of other breaches – have inspired changes within our legislation.
The Attorney-General Mark Dreyfus QC handed over The Privacy Amendment (Privacy Alerts) Bill 2013, for its first reading in parliament yesterday. If passed, amendments will be implemented along with other major amendments to the Privacy Act 1988, on March 12, 2014.
The new laws will require notification of data breaches to the Office of the Australian Information Commissioner, on all entities covered by the Privacy Act 1988, including many businesses.
The notification requirements do not apply to all data breaches, only breaches that give rise to a risk of serious harm. The Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements.
“To make sure that the new laws have teeth, the Information Commissioner will be able to direct agencies and business to notify individuals of data breaches,” Mr Dreyfus said in a statement to the media on Tuesday.
In a Computerworld article ‘Proposed mandatory data breach notification bill read in Parliament’, Privacy Commissioner, Timothy Pilgrim, reportedly said he has supported the introduction of mandatory data breach notification laws in Australia since they were first proposed by the Australian Law Reform Commission in 2008.
“The last couple of years have seen a number of high-profile data breaches and subsequent own motion investigations initiated by me, and research suggests that the frequency of data breaches in Australia has continued to grow over the past three years,” he said.
Despite this upward trend, the Office of the Australian Information Commissioner (OAIC) received 46 data breach notifications in the 2011–12 financial year, an 18 per cent decrease from the previous year.
“I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring,” Pilgrim said. “Many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised.”
Up to now, whilst organisations are encouraged to disclose data breaches to the Commonwealth Privacy Commissioner, it has not been mandatory to do so. There has been much criticism over companies “holding out” on their customers following a data breach, and waiting days or up to a week or so to notify customers that their personal information may be at risk.
During this time, it has been argued that hackers have had free access to this personal information without the customer doing anything to minimise their own risk, such as cancelling accounts, changing passwords and flagging their credit accounts and credit file.
We agree this is an area which is overdue for legislation, especially going in hand with other new Privacy Amendments already passed.
We can’t take lightly the possibility that any company that keeps data on its customers could be exposed to data breaches. Identity theft is becoming more prevalent, and personal information is lucrative for fraudsters.
Unfortunately it seems everywhere people turn some company has been hacked – and it seems every entity with a computer is vulnerable. It is still extremely scary the level of risk peoples’ personal information undergoes these days when it is stored online.
Personal information in the wrong hands can lead not only to identity fraud, but the misuse of the victim’s credit file, which can have significant long term consequences.
A lot of identity fraud is committed by piecing together enough personal information from different sources in order for criminals to take out credit in the victim’s name. Often victims don’t know about it right away – and that’s where their credit file can be compromised.
Once the victim’s credit rating is damaged due to defaults from this ‘stolen’ credit, they are facing some difficult times repairing their credit rating in order to get their life back on track.
These victims often can’t even get a mobile phone in their name. It need not be large-scale fraud to be a massive blow to their financial future – defaults for as little as $100 will stop someone from getting a home loan.
Once an unpaid account goes to default stage, the account may be listed by the creditor as a default on a person’s credit file. Under current legislation, defaults remain on the credit file for a 5 year period.
What is not widely known is how difficult credit repair following can be – even if the individual has been the victim of identity theft, there is no guarantee the defaults can be removed from their credit file. The onus is on them to prove their case and provide copious amounts of documentary evidence.
Unfortunately data breaches are difficult for individuals to have any control over, and the only way people can ensure their details are safe are to demand that the companies they deal with have strong IT systems before disclosing that information. People should adopt the philosophy of a need-to-know basis for disclosing their personal information. They should always question the need for it to be handed over. If it is not essential, they shouldn’t do it.
The fact that our country is attempting to legislate this important area is a big step in the right direction. Forcing companies to act quickly would minimise the harm which could occur to the victims’ financial identity and credit file information. Whilst it won’t prevent all data breaches, it will encourage better security. A requirement to disclose potentially harmful breaches would mean a company’s bad security is thrown right into the limelight. And not even the big wigs would want that.
Image: David Castillo Dominici/ www.FreeDigitalPhotos.net