"There are also obligations arising under contract, duty of care, trade secret and confidentiality, and potentially the Australian Consumer Law as well," Joel Vernon told iTWire in response to the views expressed recently in these columns by cyber security consultant Phil Kernick.
The Australian data breach law takes effect on 22 February. Kernick had expressed the view that the law would be among the weakest in the world and that it was unlikely to impose any pressure on businesses to change the way they protect personal data at the moment.
Vernon's view differed. He said the obligations listed above, when coupled with the potential for sufficiently-motivated and resourced plaintiffs to commence group or class action proceedings, would make cost internalisation fairly apparent.
He noted that fhe fines (or, rather, civil penalties) were up to $420,000 and $2.1 million for non-body-corporates and body corporates respectively. "Failure to comply with the notification regime is not the only potential liability under the Privacy Act – others are also in play," he added.
Vernon, who is a lawyer by trade but now more of a business adviser, has a background in IT as well, having worked for both Primus and Telstra.
He said it was not the case that only organisations with $3 million in revenue were covered by the law, with the relevant calculation being annual turnover.
"There are a range of other entities which are within the jurisdiction of the Privacy Act even if they do not reach this monetary threshold (such as health service providers, credit reporting bodies, and contracted service providers under a Commonwealth contract (even if not privy to the contract))," he pointed out.
"In other words, the obligations are of far wider significance and cover a range of otherwise quite small businesses which need to think very carefully about their operations and processes and whether they are complying with the Privacy Act now and additionally from 22 February."
Vernon said the solution proposed by Kernick — requiring all entities to simply report all breaches and shift the harm assessment to the Privacy Commissioner — did not change the cost dynamic.
"There is a cost either way. Entities bear the cost of notification (which may be marginal) or they bear the cost of the harm assessment," he said.
"Shifting the harm assessment from the entity to the Commissioner, in fact, externalises the cost from the entity and shifts it back to the community. Such an approach does even less for cost internalisation, if that is the policy goal."
He said he agreed with the views expressed in these columns by Helaine Leggat, director of Melbourne firm Information Legal, a few days ago.
"The Privacy Act is legislation informed by and motivated by Australia being a signatory to the International Covenant on Civil and Political Rights. In an ideal world, privacy (and security) shouldn't depend on legislation but should be an inherent part of the social contract. We collectively undervalue our privacy (and our personal information) and willingly trade that to others who value it more in exchange for convenience or features.
"The Privacy Act is an attempt to narrow this value relativity. There is plenty to be done in this space, even outside the notification regime, and I fully agree with Helaine when she says 'smaller businesses do not know what is required, and if they do, they have little idea of what to do. Even big organisations are struggling'. I can attest to that from my own experience."
Vernon said that both business and government should be grateful for the chance to demonstrate a commitment to privacy and security by, for example, having breach response plans in place.
He added: "This is not to say this is the only thing they need to do to ensure compliance with the Privacy Act – there are many front-end obligations they need to be aware of, and for organisations outside the scope of the Privacy Act, there will be other arrangements and obligations that also need to be considered."