Australian organisations will now have to report their breaches to the government, as a new law rolls into effect promising to punish those who keep quiet. The law, called the Privacy Amendment Bill 2016 passed the House of Representatives last week, and made it through the Senate on 13 February.
All it requires is assent from the Governor-General to become an official act of Parliament. Despite previous troubles in actually getting such a law passed, the passage of this bill apparently went through largely without a hitch.
Up until now there has been an entirely voluntary notification system in place which lawmakers felt could not properly address the problems it set out to solve. Government agencies and small businesses are exempt but others will have to report breaches to the privacy commissioner within 30 days of the breach.
The law defines breaches as cases of unauthorised access to, or disclosure of data, where “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates”. Offenders are liable for fines of AUS$1.8 million (£1.1 million).
The struggle to get a breach reporting law in place has troubled Canberra lawmakers for years now. Several attempts were made to pass the Bill through Parliament after the Joint Parliamentary Committee on Intelligence and Security concluded as much several years ago.
The Australian privacy commissioner gave evidence to Parliament in 2013 saying that if service providers would be required to hold onto customer data for extended periods of time, then those service providers should also be made responsible for that data. There should be, said the commissioner, an “obligation for service providers to notify the commissioner and affected individuals in the event that they experience a data breach affecting telecommunications data collected and retained under the scheme.”
Certain parts of the United States have had breach reporting rules for over a decade and
Ilia Kolochenko, CEO of High-Tech Bridge, offered some misgivings to SC Media UK : “The obligation to report a data breach is definitely useful to protect customers, however its enforcement and control are not obvious. Professional cyber-criminals do their best to remain unseen, at least for a certain period of time, recent Yahoo breaches - are good examples.
“Therefore, can we hold a company responsible for a breach that it is not aware of, despite best possible and reasonable efforts taken? The government should also allocate additional resources to investigate and prosecute cyber-crime in a proportional manner. Otherwise, it seems unfair to put the entire responsibility on companies and organisations.”