At its April Board meeting, the Electronic Frontiers Australia Board voted unanimously to support the implementation of mandatory data breach notification regulations.
Karen Higgins, EFA Board Member said, “It is outrageous that an organisation can have a million people’s private details exposed due to slack security, and then does nothing about it. If my birthdate and credit card details get into the hands of hackers, I want to know about it, so I can take steps to protect myself, such as closing the credit card account. And then I will stop doing business with the company that couldn’t be bothered to protect my data.”
In 2008, the Australian Law Reform Commission proposed many changes to the Privacy Act, including mandatory data breach notification. The Prime Minister and Cabinet grouped mandatory data breach notification into the second set of Privacy Act changes to make, and no action date has yet been provided.
A number of major organisations have stated opposition to mandatory notification, asserting instead that voluntary data breach notification is sufficient.
A number of high-profile data breaches have taken place in recent months, affecting businesses including Telstra, First Super, ANZ Bank and the global Sony Playstation network, and Australian Privacy Commissioner Timothy Pilgrim has said that there is evidence to suggest that data breaches are on the rise. He said, “The Office of the Australian Information Commissioner (OAIC) was notified of 56 data breaches in the last financial year, equivalent to a data breach a week. This is up from 44 in the previous year, an increase of 27 per cent.” However, the Privacy Commissioner also noted that he opened a further 59 investigations into other breaches where he wasn’t notified of the incident (see the full release here).
The Office of the Australian Information Commissioner (OAIC) this week released updated guidelines designed to assist organisations dealing with a data breach as well as providing advice on preventative measures.
The Australian Information Commissioner, Professor John McMillan has also this week stated that there is “strong support for the notion that the Government must treat data breach notification as a mandatory process”, and that “Internationally, the tide is moving in this direction” (as quoted in itNews).
EFA supports these calls for mandatory data breach notification regulations and calls on the government to take prompt action in this regard.