Mandatory data breach notification finally on the table in Australia
Should organisations be required by law to make data breach notifications when they occur? The Australian government has finally put this topic to the Australian public following the release of their discussion paper. This is long overdue so that customers who have their personal information unsecured in some way through a company data breach are notified and are able to take swift steps to secure their own records and personal information from identity crime. We look at why these laws are so important and how a data breach can impact a person’s credit file.
By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.
Yesterday the Australian Government released a statement to the media seeking views on the introduction of mandatory data breach notification laws, which aims to bolster privacy protections for Australians’ personal information in digital databases.
Attorney-General Nicola Roxon said that it was timely for a public discussion on how legislation might deal with data breaches, such as when private records are obtained by hackers.
“Australians who transact online rightfully expect their personal information will be protected,” Ms Roxon said.
“More personal information about Australians than ever before is held online, and several high profile data breaches have shown that this information can be susceptible to hackers.
Those high profile data breaches include the Sony data breach in 2011, First State Super scandal in the same year; this year the Zappos data breach and the Telstra data breach to name but a few instances where the personal information of Australians was exposed to hackers. What these incidents did is highlight the gaping hole in Australia’s privacy legislation which needed to be filled to protect consumers.
Whilst organisations are encouraged to disclose data breaches to the Commonwealth Privacy Commissioner, it has not been mandatory to do so. There has been much criticism over companies “holding out” on their customers following a data breach, and waiting days or up to a week or so to notify customers that their personal information may be at risk.
During this time, it has been argued that hackers have had free access to this personal information without the customer doing anything to minimise their own risk, such as cancelling accounts, changing passwords and flagging their credit accounts and credit file.
The Australian Privacy Commissioner, Mr Timothy Pilgrim has had little recourse within legislation to deal with lack of notification following a data breach.
In his statement to the media, Mr Pilgrim said in 2011–12, the Office of the Australian Information Commissioner (OAIC) received 46 data breach notifications, an 18% decrease from the number of DBNs received in 2010–11.
‘This decrease in notifications is difficult to explain but I have seen reports that suggest we are only being notified of a small percentage of data breaches that are occurring. It is very concerning that many of incidents may be going unreported and customers are unaware that their personal information may be compromised,’ Mr Pilgrim said.
He has officially supported the release of the discussion paper.
‘…Privacy breach notification is an important issue that needs community debate, and I’m sure there will be a wide range of views expressed on whether this notification should be mandatory.’ Mr Pilgrim said.
‘Currently there is no legal requirement in Australia for organisations to notify individuals when a privacy breach occurs. However, I believe that where personal information has been compromised, notification can be essential in helping individuals to regain control of that information. For example, an individual can take steps to regain control of their identity and personal information by changing passwords or account numbers if they know that a data breach has occurred,’ Mr Pilgrim said.
We agree this is an area which is overdue for going under the legislative spotlight. We can’t take lightly the possibility that any company that keeps data on its customers could be exposed to data breaches. Identity theft is becoming more prevalent, and personal information is lucrative for fraudsters.
Unfortunately it seems everywhere people turn some company has been hacked – and it seems every entity with a computer is vulnerable. It is still extremely scary the level of risk peoples’ personal information undergoes these days when it is stored online.
Personal information in the wrong hands can lead not only to identity fraud, but the misuse of the victim’s credit file, which can have significant long term consequences.
A lot of identity fraud is committed by piecing together enough personal information from different sources in order for criminals to take out credit in the victim’s name. Often victims don’t know about it right away – and that’s where their credit file can be compromised.
Once the victim’s credit rating is damaged due to defaults from this ‘stolen’ credit, they are facing some difficult times repairing their credit rating in order to get their life back on track.
These victims often can’t even get a mobile phone in their name. It need not be large-scale fraud to be a massive blow to their financial future – defaults for as little as $100 will stop someone from getting a home loan.
Once an unpaid account goes to default stage, the account may be listed by the creditor as a default on a person’s credit file. Under current legislation, defaults remain on the credit file for a 5 year period.
What is not widely known is how difficult removing credit listings which shouldn’t be there can be – even if the individual has been the victim of identity theft. There is no guarantee that the identity theft victim will have the defaults removed from their credit file. The onus is on them to prove their case and provide copious amounts of documentary evidence.
This is where often victims who need to recover their credit rating can benefit from third party assistance, such as a credit repair company, to assist with proving the victim did not intitate the credit, help with a case for removal and negotiate on the victim’s behalf.
But the best method is prevention – and this can be difficult for victims to have any control over. They leave their personal information with a company, and must trust that their systems are working and that their information is safe.
The only ways people can ensure their details are safe or dealt with safely are to:
a) Demand that the companies they deal with are protective over their customers’ personal information. They should demand companies have strong IT systems.
b) Adopt a need-to-know basis for disclosing their personal information. They should always question the need for their details to be handed over. If it is not essential, they shouldn’t do it; and
b) Demand our country adopt mandatory data breach notification laws so we can, as Mr Pilgrim describes, have our organisations “embed a culture that values and respects privacy.”
Image: phanlop88/ www.FreeDigitalPhotos.net