While organisations spruiking security solutions and the Privacy Commissioner have generally welcomed the initiative, some privacy advocates and industry bodies such as ADMA (Australian Data-driven Marketing and Advertising) have questioned its value.
Currently Australian organisations are encouraged rather than mandated to notify the Privacy Commissioner of data breaches. Electronic Frontiers Australia called for the introduction of laws mandating data breach notification in May this year.
According to Federal Attorney General Nicola Roxon, who launched the discussion paper last week; “More personal information about Australians than ever before is held online, and several high profile data breaches have shown that this information can be susceptible to hackers.
"The question we are asking today is should organisations be required by law to make data breach notifications when they occur?"
Yes, according to Privacy Commissioner Timothy Pilgrim, who claims that mandatory disclosure would at least provide consumers the opportunity to change passwords or account numbers if a company they have done business with is hacked.
Quite apart from the reputational damages there can be substantial costs also. A report released earlier this year by Symantec and the Ponemon Institute revealed that on average a data breach cost an organisation $138 per data record.
Mark Lewis, director of IP Payments, said that in his opinion companies which are more transparent fare better than those which have “sat on a data breach”. He said LinkedIn and Global Payments, which had been quickly open about their recent data breaches found that the issue had “Blown past quite quickly.”
Sony by comparison; “Sat on the information too long and is still a punching bag today.”