While organisations spruiking security solutions and the Privacy Commissioner have generally welcomed the initiative, some privacy advocates and industry bodies such as ADMA (Australian Data-driven Marketing and Advertising) have questioned its value.
Currently Australian organisations are encouraged rather than mandated to notify the Privacy Commissioner of data breaches. Electronic Frontiers Australia called for the introduction of laws mandating data breach notification in May this year.
According to Federal Attorney General Nicola Roxon, who launched the discussion paper last week; “More personal information about Australians than ever before is held online, and several high profile data breaches have shown that this information can be susceptible to hackers.
"The question we are asking today is should organisations be required by law to make data breach notifications when they occur?"
Yes, according to Privacy Commissioner Timothy Pilgrim, who claims that mandatory disclosure would at least provide consumers the opportunity to change passwords or account numbers if a company they have done business with is hacked.
Quite apart from the reputational damages there can be substantial costs also. A report released earlier this year by Symantec and the Ponemon Institute revealed that on average a data breach cost an organisation $138 per data record.
Mark Lewis, director of IP Payments, said that in his opinion companies which are more transparent fare better than those which have “sat on a data breach”. He said LinkedIn and Global Payments, which had been quickly open about their recent data breaches found that the issue had “Blown past quite quickly.”
Sony by comparison; “Sat on the information too long and is still a punching bag today.”
Mr Pilgrim this week revealed that the Office of the Australian Information Commissioner had in 2011-12 received just 46 data breach notifications, 18 per cent fewer than the year before.
He suggested that this may only be a small proportion of the actual number of breaches: ADMA meanwhile questioned if it didn’t instead indicate the OAIC’s approach was working and there were fewer data breaches to report.
Mr Lewis however claims that many Australian organisations currently labour under a false sense of security about the protection of their data.
When IP Payments last commissioned a survey of the local market it found 13 per cent of organisations knew of a company that had suffered a credit card data breach and one in 25 companies surveyed had suffered a credit card breach themselves.
Even so 73 per cent of respondents to the IP Payments survey were confident their customer data was as secure as it could be, even though 77 per cent admitted they had never heard of PCI (Payment Card Industry) security standards.
In theory any organisation accepting credit card payments needs to be PCI compliant. But not everyone is: Mr Lewis said that there were still gaps in PCI compliance in the retail and “big biller” sectors.
He said consumers should take a more proactive role and demand to see a company’s PCI compliance certificate before supplying credit card details.
It seems a long shot. Mr Lewis however said that mandatory data breach notification would help to raise awareness of the need for better data security and deliver more transparency to the consumer.
He favours a principles based approach to data breach notification – which is that same tack that the Government has taken with privacy – and called for a consultative process to be considered which would allow the need for disclosure to be discussed first with the privacy commissioner.
“You could have your whole database stolen – but if it’s encrypted properly it’s useless anyway,” said Mr Lewis.