20 October 2012

Australian Data Breach Consultation

The Commonwealth Government has released its Australian Privacy Breach Notification discussion paper [PDF] regarding potential introduction of mandatory data breach notification. Submissions are sought by 23 November 2012.

The Attorney-General's media release indicates that "it was timely for a public discussion on how legislation might deal with data breaches, such as when private records are obtained by hackers. Australians who transact online rightfully expect their personal information will be protected". Quite so.

In the introduction to the paper the Attorney-General comments that -
One of the ALRC’s [2008 For Your Information: Australian Privacy Law and Practice ] recommendations was that a mandatory data breach notification scheme be introduced. In responding to this recommendation, the threshold question that must be asked is whether the introduction of such a scheme is warranted. For example, it may be the case that the existing voluntary guidelines issued by the Office of the Australian Information Commissioner are working effectively enough. If there is to be a mandatory data breach notification scheme, how do we make sure it gets the balance right between the public interest in mitigating the adverse effects of data breaches while ensuring we do not create an overly burdensome compliance requirement on entities that make their business from collecting, storing and using personal information?
The paper indicates that
A data breach occurs when personal information is improperly accessed, obtained, used, disclosed, copied or modified. 
It goes on to comment that
There have been several significant and high-profile data breaches in recent years. 
As noted recently, at least one of those breaches appears to have completely bypassed the attention of AFP cybercrime czar Gaughan, perhaps because he has been busy misconstruing German data protection law.

The paper asks what notification requirements government agencies and large private-sector organisations should have to meet when they suffer a data breach, including -
  • Should Australia introduce a mandatory data breach notification law? 
  • What kind of breaches should trigger notification requirements? 
  • Who should decide whether notification is necessary? 
  • What should be reported and how quickly? 
  • How should a notification requirement be enforced? 
  • Who should be subject to a mandatory data breach notification law?
  • Should there be an exception for law enforcement activity?
The paper advances seven arguments in favour of 'retaining the existing position', ie not implementing mandatory data breach notification -
  • the additional costs of compliance for entities would be too onerous; 
  • there are sufficient commercial incentives for entities (eg reputation) to have high standards of data security and to voluntarily notify the OAIC where appropriate; 
  • the voluntary OAIC guidelines are operating effectively, and more entities are using them after voluntarily contacting the OAIC; 
  • many organisations do not have the capability of detecting whether data loss has occurred, and whether there has been a significant impact or harm caused by such data loss; 
  • some organisations already voluntarily report certain categories of incident to law enforcement agencies and CERT Australia; 
  • the connection between data breaches and identity theft has been criticised as being overstated ; and 
  • data breach disclosure laws have marginal effect on the incidences of identity thefts 
The incidents highlighted in this blog over the past three years (eg involving Medvet, Sony, AICD, Vodafone, Telstra and other blue chips) suggests that several of those arguments are problematical.

The paper goes on to articulate "four broad goals" regarding mandatory data breach notification.
A. Mitigation of consequences of breach
First, by providing advice to those who have had their privacy infringed, that person will have an opportunity to take corrective action to change or otherwise ‘resecure’ the information. This could be called the ‘mitigation objective’. For example, to change passwords where those passwords have been hacked or to cancel credit cards if their details have been stolen. The ALRC considered this to be the primary goal to be achieved. However, such a rationale shifts the onus away from the organisation that has suffered the breach and onto a person who may be ill-equipped or unable to correct the consequences of the breach. For example, in cases where an individual’s health information has been accidentally uploaded to the internet, it may not be possible to rectify the breach even if it has been subsequently taken down.
B. Deterrence/incentive to improve data security
Secondly, requiring notification may act as an incentive to the holders of personal information to adequately secure or dispose of that information. In other words, the adverse publicity occasioned by a notification may deter poor handling of such information, and increase the likelihood that adequate and reasonable measures are taken to secure it. This could thus be called the ‘deterrent objective’. The ALRC viewed this as more of a secondary objective, although it has been part of the rationale for data breach notification laws in many other jurisdictions. With respect to agencies, this objective is consistent with guidelines issued by the Government under the Protective Security Policy Framework. These guidelines highlight the need for agencies to understand and address their responsibility to minimise the risk to the public when transacting online with the Australian Government. The failure by an agency to adequately notify the public of a data breach could place the public at risk. A mandatory data breach notification requirement would ensure all agencies take action to minimise the risk of harm to the public.
C. Tracking of incidents and provision of information in the public interest
A third goal would be to provide better information to government and the public on the scope and frequency of data breaches. This ‘informational objective’ is essentially a correction of the market failure by which organisations have insufficient incentives to disclose incidents of data loss, even though such losses may cause harm to others.
D. Maintaining community confidence in legislative privacy protections
Finally, there is what could be called a ‘public confidence’ objective. Even where the harm of a data breach to individuals is minimal, there is a chance individuals will feel deceived or disempowered in the absence of notification. Mandatory data breach notification may bolster public confidence that the Government is taking individual privacy rights seriously.
We need more than mandatory reporting, underpinned by penalties for non-reporting or dilatory reporting. Tony Burke, ag chief of the Australian Banking Association, is reported as commenting that mandatory data breach reporting would lead to
 an unwarranted loss of confidence in Australia’s payment systems to the detriment of all.
Attempting to notify individuals potentially affected could lead to significant levels of community concern, disproportionate to the actual level of risk, which could well be zero. 
Mandatory reporting in isolation may well lead to what I have elsewhere characterised as data breach fatigue. What is essential is attitudinal change among data custodians through public shaming and penalties that are sufficient to motivate organisations to safeguard personal information through for example adequate vetting of staff and partners and through maintenance of network intrusion detection systems.