AustLII Home | Databases | WorldLII | Search | Feedback

Journal of Law, Information and Science

Journal of Law, Information and Science (JLIS)
You are here:  AustLII >> Databases >> Journal of Law, Information and Science >> 2013 >> [2013] JlLawInfoSci 8

Database Search | Name Search | Recent Articles | Noteup | LawCite | Author Info | Download | Help

Smyth, Sara M --- "Does Australia Really Need Mandatory Data Breach Notification Laws - And If So, What Kind?" [2013] JlLawInfoSci 8; (2013) 22(2) Journal of Law, Information and Science 159


Does Australia Really Need Mandatory Data Breach Notification Laws – And If So, What Kind?

SARA M SMYTH[*]

Introduction

IT security is a vital part of the competitive strategy of any business as it facilitates the collection, storage and transmission of personal information which is vital to success in today’s global marketplace. Yet safeguarding information has become a complex task for organisations operating within global information networks, as it invariably exposes them to new security risks.[1] Until recently, businesses could cover up data security breaches because they were not under a legal duty to disclose them to anyone.[2] However, the enactment of data breach notification laws in many parts of the Western world has uncovered the misuse of data by organisations in a variety of industry sectors. This is significant when one considers that just one data security breach can jeopardize the personal information of people in multiple jurisdictions around the world.[3]

Mandatory data breach notification has been defined by the Australian Government as,

a legal requirement imposed upon particular entities to provide notice to affected persons and the relevant regulator when certain types of personal information are accessed, obtained, used, disclosed to, copied, or modified by unauthorized persons.[4]

Generally, unauthorised access can occur as a result of a malicious breach of the secure storage and handling of that information (eg a hacker attack), accidental loss (most commonly of IT equipment or hard copy documents), a negligent or improper disclosure of information, or otherwise.[5]

This Article explores how to best implement mandatory data breach notification laws in Australia. Currently, there is no obligation under Australian law mandating organisations to report data breaches to regulatory agencies or affected individuals. The lack of oversight and secrecy around data breaches makes it difficult to generate reliable statistics about the nature and quantity of these incidents occurring across the nation. The threshold question, of course, is whether such a scheme is warranted. The issue of whether Australia needs these laws is an issue ripe for debate because former Prime Minister Julia Gillard’s Government introduced a mandatory data breach notification bill into Parliament in May 2013, before being defeated in an election a mere four months later.[6] The Bill came more or less five years after the Australian Law Reform Commission (ALRC) concluded a twenty-eight month inquiry into the efficacy of the federal Privacy Act and released its ‘Review of Australian Privacy Law’ which recommended that a data breach notification scheme be implemented at the federal level in Australia.[7] The ALRC examined data breach notification laws in other jurisdictions, particularly those in the United States (US) and the European Union (EU), and ultimately recommended that the issue be dealt with as a privacy matter through changes to Australia’s privacy law regime.[8]

An important argument in favour of mandatory data breach notification is that it can give people the opportunity to reduce the impact of data security breaches, such as by cancelling credit cards or changing account passwords, and it can increase public confidence in the handling of consumer information. Critics counter that data breach notification laws negatively impact businesses. And it’s true that the stakes for companies are extremely high — an exposed data leak will almost certainly have a negative impact upon consumer confidence in a breached organisation, as well as its brand and bottom line. It is evident, though, that by enacting these laws, the Australian Government would enable business owners, consumers, law enforcement agents and policy makers to gain a more accurate picture of the data security breaches occurring each year.

Following this Introduction, Part II looks at data breach notification laws implemented in jurisdictions outside Australia. Attention is given to the state-focused legislative scheme adopted throughout the Unites States and the intra-state model implemented across the European Union. This analysis is significant because the ALRC looked to the approaches adopted in these jurisdictions when considering how Australia should implement mandatory data breach notification laws at the federal level. Following this, Part III, looks at the mandatory data breach notification scheme proposed by the Gillard Government. Given the importance of this issue, it is recommended that Prime Minister Abbott’s Government endorse the creation of a mandatory data breach notification scheme, of a similar kind, in the future.

Ultimately, what is needed is a holistic ‘graded approach’ which combines ‘hard’ regulatory requirements, in the form of data breach notification and a statutory duty of sound information security practices, along with ‘soft’ requirements for self-regulation through risk-management, employee education, and the like. The discussion in Part IV, builds upon these recommendations. The trend in the US for regulating publicly traded companies, as well as banks, is to set ‘reasonable’ standards for information security, and leaves it up to the regulated entities to develop their own information security processes. With this in mind, Part V concludes with a summary and recommendations for the adoption of a similar approach in Australia.

1 Mandatory Data Breach Notification Laws Outside Australia

There are two primary purposes behind all data breach notification laws.[9] The first is to impose reputational sanctions upon organisations with substandard information security practices and compel them to improve their data security procedures and policies.[10] The second is to formally protect and enhance the rights of consumers to control how their personal information is collected, utilised and divulged to others and, moreover, to ensure that those affected by data breaches are notified of this risk and given an opportunity to mitigate their losses.[11]

As a general rule, data breach security notification laws address the following issues: the question of what constitutes a ‘security breach’, as well as ‘harm’; the meaning of ‘personal information’; the person(s) who must be notified and when notification must take place; how notification is to occur and what the notification should contain; and the consequences for failing to notify and/or neglecting to abide by the mandatory data protection rules.[12] The obligation to notify, which is fundamental to all data security breach notification laws, is intended to increase accountability on the part of public and private organisations by ensuring that these entities assume responsibility for the information they collect and, in turn, become accountable for their actions in the storage and use of that data. This does not necessarily include punishing breached entities, which is frequently done in the US, because this might discourage organisations from reporting breaches to anyone.

From this point of view, the normative basis for data breach notification law is the management of risk by both regulators and stakeholders.[13] Governments can take steps to limit the risks faced by individuals and organisations by imposing legal and technical standards while taking into account how quickly technological capabilities can change.[14] Ultimately, though, the protection of consumers’ personal information rests on risk management decisions made by the relevant stakeholders in terms of whether or not the appropriate protections are in place, or the relevant precautions are adhered to.[15] Regulation can stem from a combination of legal rules, technical standards, and management norms, including risk-management, surveillance and enforcement. The government can set market-oriented standards that seek to reduce risk and increase safety, and stakeholders can take precautions and implement systems to reduce harm.[16] In other words, law, technology and self-regulation have an important and equally legitimate role to play in enhancing accountability and mitigating risk. As discussed below, mandatory data breach notification law is only one component of this regulatory objective.

This Part examines mandatory data breach notification statutes implemented in jurisdictions outside Australia. The first example of mandatory data breach notification laws was implemented by the US Government, following a number of large-scale data breach incidents across America. Most notably, approximately 160 000 individuals had their social security numbers and other private information forsaken by ChoicePoint, a company that compiles consumer data for resale (which is now a division of LexisNexis), resulting in more than 800 cases of identity theft.[17] In the wake of that alarming episode, the Attorney General of California declared that, ‘[v]ictims of identity theft must act quickly to minimize the damage; therefore expeditious notification of possible misuse of a person’s personal information is imperative.’[18] Unfortunately, though, California’s data breach notification statute did little, if anything, to stem the rising tide of data security breaches across the US.

Regan reports that,

[the ChoicePoint breach] was quickly followed by other similar disclosures of security breaches by the LexisNexis Group, Bank of America, and Citibank ... [and] by the end of October, 2005, the Privacy Rights Clearinghouse had identified eighty data breaches in the previous eight months, involving [personal data belonging to] more than 50 million people.[19]

The enormity of the crisis and the resulting media attention it garnered, in addition to public and governmental fears about identity theft, brought the problem to the attention of legislators throughout the country.[20] California’s data breach law was exceptional and unique until a similar statute was passed in the state of Arkansas on 31 March 2005.[21] Since then, it has served as a model for a plethora of other state initiatives, and it has had a national impact on the storing and safeguarding of personal information in organisations across the US.

The data protection system implemented in the US is complex and multi-tiered, comprising federal and state regulations, in addition to more narrowly targeted sector-specific laws. Generally speaking, the state-wide laws provide a market-based solution that, on the one hand, promotes consumer protection through post-hoc measures including notification and mitigation, while, on the other, compels the implementation of remedial information security solutions, such as the implementation of sound data protection policies and practices. In addition, there have been a large number of federal proposals put forward for national legislation in relation to mandatory data breach notification which have not been realised. In contrast, the European Union has adopted a comprehensive protection regime at the intra-state level. These divergent regulatory models illustrate that there are a variety of ways to consider the problem of data protection, not least with respect to the question of whether it is best dealt with the perspective of privacy or security in terms of establishing technical safeguards, risk assessment/risk management, harm reduction, accountability, and so on.[22]

However well intended they are, though, data breach notification laws have been controversial in the US and the EU. Recent evidence shows that the success of breach notification statutes in the US may actually be extremely low, or even insignificant.[23] A well-documented study at Carnegie Mellon University examined reporting data collected from the Federal Trade Commission (FTC) for each state from 2002 to 2009, and compared states with data breach notification laws to those without them. If the laws were effective, the states with data breach notification laws should have experienced a reduction in identity theft incidents compared with everyone else. Yet the researchers found that the laws decreased identity theft by merely 1.8%.[24] While the laws were most effective in the 6-12 months following their implementation, this was simply the result of ‘a temporary heightened awareness by consumers of the notifications, causing them to briefly take more precautions.’[25]

These findings do not suggest that the data breach notification laws implemented at the state-level in the US have been effective at curbing identity theft where that crime is much more prevalent than in the European Union or Australia.[26] One might presume then that the figures in these other jurisdictions would be even lower. On the other hand, breach notification is about more than simply reducing the incidents of identity theft. It is about enabling people to have greater control over their personal information and encouraging organisations to invest in security technologies. These issues are explored in further detail in the remainder of this Part.

1.1 The United States

The Californian Civil Code § 1798.29(a), which came into effect 1 July 2003, requires Californian businesses that suffer data breaches of unencrypted ‘personal information’ to notify affected residents about it within a reasonable time, without delay.[27] Notice must be particularised in that it must identify the source and victim of the breach.[28] However, notification can occur via letter, electronically (such as by email) or by posting on the organisation’s website, or via state media sources, if the breach involves more than half a million people or would exceed a cost of more than USD$250,000.[29]

Without a doubt, the focus of the California statute is on giving notice to customers within the ‘most expedient time possible and without unreasonable delay’[30] unless (a law enforcement agent or agency decides that) it will ‘impede a criminal investigation.’[31] The underlying policy rationale is that the apprehension and prosecution of suspects in identity theft cases is more important than enabling the victims to protect themselves in the aftermath of a breach and to mitigate their losses.[32] In addition to the imposition of criminal penalties, the law also enables victims to sue breached organisations in civil court for failing to abide by the notification and data security requirements.[33]

Furthermore, according to the California statute, ‘any person or business’ must ‘notify the owner or licensee of [any breach of security of personal information]’[34] following any ‘unauthorized acquisition of computerized data that compromises [its] security, confidentiality, or integrity’.[35] Building on the aforementioned work of Schwartz and Janger, the authors Burdon, Lane and von Nessen have observed that the California law has a low ‘triggering threshold’ because ‘notification is required simply when an organisation has suffered, or believes it has suffered, an unauthorised acquisition of unencrypted and computerised personal information’[36] regardless of whether the unauthorised person ‘will go on to misuse it.’[37] Thus, one of the most striking objections to the California statute is that the requirement for consumer notice is so loose that it produces an overabundance of data breach disclosure letters, leading to what some critics have termed ‘The Boy Who Cried Wolf’ predicament.[38] The trouble, as illustrated by Aesop’s famous fable, is that when people receive too many notices, they quickly learn to ignore them, even in situations of real risk.

Schwartz and Janger have observed that the focal point of California’s data breach notification scheme is to impose a ‘reputational sanction’[39] upon businesses by ensuring that there is a maelstrom of publicity surrounding an entity that suffers a breach.[40] And if this is, indeed, the primary purpose of notification, then public recrimination is essential, as it enables consumers to change their market behaviour in response to negative information.[41] However, if the goal of the legislation is simply to enable affected customers to take steps to mitigate their losses in the aftermath of a breach, then identifying the source, or target, is far less essential.[42] Also, notification might needlessly frighten consumers where little or no harm exists; or, conversely, if notification in non-threatening situations becomes commonplace, it can lead to a reduction in effectiveness by encouraging consumers to not react.[43]

The California model may also perversely encourage organisations to cover up their mistakes and refuse to notify customers, or to inadequately respond to breaches for fear of triggering their disclosure obligation, due to the threat of economic and reputational sanctions. Moreover, it provides no mechanism for regulators, and other organisations, to gain valuable knowledge of data security failures, and thereby learn from those experiences.[44] Also, the California data breach notification scheme assumes that consumers will rely on reputational information to punish those entities with poor security practices by taking their business elsewhere.

Yet these assumptions about consumer behaviour are overly optimistic (we know, for example, that customers continued to shop at T J Maxx after the store suffered a massive data breach event),[45] particularly if we take into account the consumer fatigue that can result from the glut of data breach notification letters arriving in one’s mail.[46] The Ponemon Institute surveyed 9154 consumers who received some form notification about a data breach incident and apparently more than 39 per cent of these people thought that the notices were little more than junk mail or marketing-related.[47] In addition, 48 per cent said that the notice was confusing, or misleading, and over 49 per cent said that it did not provide them with enough detailed information.[48] There is also considerable effort involved in switching services providers and a lack of transparent data that would enable a consumer to objectively evaluate the data security practices of institutions within the same industry sector, such as determining whether better information security is being offered at the Commonwealth Bank or the National Australia Bank. Furthermore, if the target of the breach is an outsourcing entity, a consumer cannot choose to stop doing business with the company that handles payments, provides insurance, stores, or transports data for a third party.[49]

As previously mentioned, California’s data breach notification statute also contains a notification exemption for encrypted[50] information.[51] Thus, if an organisation mishandles encrypted personal information, it does not have to notify anyone.[52] The reasoning is to encourage public and private sector entities to adopt encryption technologies to safeguard against the risk of data breaches, and to reduce the regulatory compliance load upon businesses, as well as to ensure that consumers are not overburdened by data breach notification letters and the like.[53] On the face of it, the use of encryption software seems to be extremely valuable to organisations seeking to safeguard personal information, in that it is likely to mitigate harm, while increasing overall safety.

Proponents maintain that excluding encrypted data from notification encourages regulated entities to adopt these technologies and keep them up to date.[54] Moreover, the costs of encryption are far lower than the expenses associated with data breaches.[55] However, opponents have raised alarm bells about the inherent weakness of these technologies.[56] The fundamental obstacle is that a number of data security breach scenarios do not necessitate notification, regardless of whether a risk of harm exists.[57] In other words, some encryption clauses, like the one contained in California’s data breach notification statute, can create an unacceptable loophole because any type of encrypted information, regardless of how secure it is, will be exempt from notification following a breach.[58]

Notwithstanding these shortcomings, over twenty-one state legislatures in the US jumped on the data breach notification bandwagon and passed new laws that year. To date, forty-seven states, the District of Columbia and two territories, including Puerto Rico and the Virgin Islands, have enacted data breach notification laws and twenty-three of these are modelled after the California law.[59] As with respect to other public policy issues, the individual states have designed their data breach notification statutes in accordance with their unique values and interests.[60] This means that if a data breach involves customers in more than one state, affected businesses need to expend a great deal of time and effort ensuring that they understand the laws of each applicable state, and how/when they need to comply with them, because some states may require notification, while others may not.[61]

There are also a number of companies in the US that collect information about individuals from both public and non-public records, and they must abide by industry-specific ‘soft’ management process standards.[62] Financial institutions, for example, as well as their outsourcing entities that access or use customer information, are required to comply with Title V of the Gramm-Leach-Bliley Act (GLBA) which was enacted in 1999.[63] Its purpose is to facilitate information sharing among financial institutions in order to safeguard customers’ rights.[64]

If a financial institution opens a new account for a customer, it must provide the individual with the following information (and from an annual basis from then on) according to the GLBA: the personal information it collects; how it intends to use the personal information; and how the individual can ‘opt out’ of those future uses.[65] United States financial institutions must also conduct periodic risk assessments; develop data security procedures for managing risk; use disclosure and other safeguards when security systems fail; and penalise employees who do not abide by the data security measures in place. These standards reflect a risk-management approach as they require financial institutions to implement appropriate standards and processes to deal with information security issues and concerns within their organisations.[66]

Similarly, the Health Insurance Portability and Accountability Act (‘HIPAA) covers a variety of healthcare-related entities and their business associates including: medical practitioners; nursing homes; pharmacies (if they transmit electronic data); HMOs and health insurance companies; and third party service providers, which must notify affected individuals following a breach of health data, regardless of whether or not they own it, within 60 days of the breach.[67] Reporting obligations vary depending on the scope and scale of the breach; however, if the number of affected individuals exceeds 500, the entity must notify ‘prominent media outlets’ as well as the Secretary of Health and Human Services (HSS), who will publish the breach on the HSS website.[68]

There has also been recent discussion in the US about the advantages of having a federal data reporting law that would apply nationally as, for businesses involved in interstate commerce, the state system is a complex and convoluted regulatory nightmare; they must always keep informed about amendments to the state laws that might impact their policies and practices.[69] For that reason, on 21 June 2012, Republican Senator Pat Toomey introduced the Data Security and Breach Notification Act of 2012.[70] The Bill was referred to Committee on that same day and did not proceed further.

It is noteworthy that, as with the state data breach notification laws discussed above, the focus of the federal Bill was on notification in the aftermath of a breach and not on implementing effective security measures that might prevent the incident from occurring in the first place. Only eight states impose a substantive duty upon organisations to take steps to protect data, such as by providing ‘reasonable’ security procedures and practices.[71] Moreover, it is evident from the foregoing that the US model is excessively piecemeal in its approach. Moreover, the broad scope of many data breach notification statutes in the US, particularly with respect to the setting of a low ‘triggering threshold’ has rendered the notice ineffective or even meaningless.[72]

1.2 The European Union

The EU has adopted a harmonised regulatory model for the protection of electronic data. Directive 2002/58/EC,[73] also known as the ‘ePrivacy Directive’ applies to all member states of the EU[74] On 6 May 2009, the European Parliament voted to adopt the ePrivacy Directive, following an agreement struck between the European Parliament and the Council of Europe on its text. The Council of Europe formally adopted the Directive on October 26, 2009 and its member states had to bring their national laws into conformity by 25 May 2011.[75]

The scope of the Directive is narrower than that which applies across the US states, in that the provisions only apply to organisations in the electronic communications sector. The 2002 version of the ePrivacy Directive was amended and supplemented in December 2009 by the so-called ‘Citizens’ Rights Directive’ which sets out obligations for ISPs and telecommunications service providers to notify affected individuals and/or authorities of security breaches that compromise personal information.[76] This amendment established the first mandatory data breach security disclosure regime for the EU and it is likely that it will be the foundation for a broader security breach disclosure framework that will apply more broadly to other holders of personal information throughout the EU[77]

On 7 February 2013, the European Commission made a proposed new Cyber-Security Directive public, in which it plans to expand the data security and system breach notice obligations to thousands of companies in designated ‘critical’ sectors of the EU.[78] In addition, the European Commission has already proposed a new data protection regulation that would expand the data breach notice requirements already in place for telecommunications service providers under the 2009 amendments to other types of organisations.[79]

A small handful of individual EU member states, including Germany and Spain, had already passed data breach notification type laws; however, the 2009 provisions, which apply broadly to all EU member states, override any national regimes that were already in place.[80] This regulatory scheme stands in stark contrast to the patchwork of regulatory initiatives implemented in the US, which, as discussed above, is made up of a multitude of state and federal regulations of different complexity, at various levels throughout the country.[81] The Directive also contains mechanisms for regulators to learn about data security failures across the EU, which is an area in which the California data breach notification statute (as well as a number of subsequent state initiatives) falls glaringly short.

Pursuant to Article 2(h) of the ePrivacy Directive, a security breach must concern ‘personal data.’ Personal data is broadly defined in Article 2(a) as ‘any information relating to an identified or identifiable natural person’[82] and includes traffic data[83] to the extent that it relates to a person.[84] The provision also contains a definition of a ‘personal data breach’ which is very broadly defined as it covers breaches of any personal data (ie the destruction, disappearance, modification, unauthorised leak of or access to personal information in any form) in connection with the provision of a public electronic communications service.[85]

The obligation to disclose security breaches has two distinct features.[86] First, it includes a blanket duty to notify a national authority about a personal data breach.[87] This means that each personal data breach, as defined in Article 2(h) must be notified to the authorities, without exception.[88] In some member states this will be the data protection authority, whereas in others it will be the relevant telecommunications regulator.[89] This means that all breaches, regardless of their actual or potential to cause harm must be disclosed to the competent regulatory authority.[90] The notification to competent authorities must explain the outcome of the breach and the steps taken by the service provider to correct it.[91] The authorities can also issue their own guidance and instructions on the different aspects of breach notification, including circumstances, format and method/manner.[92] This broad-based obligation to notify the relevant regulatory authority is likely to generate more accurate and up-to-date statistics about the scope and scale data breaches across the EU. Hopefully, this will enable policymakers to better understand the problem and implement further initiatives at the inter-state level to deal with it.

Second, in cases where the breach ‘is likely to adversely affect the personal data or privacy of a subscriber or individual,’ the covered entity must notify the affected entity without delay.[93] Notification to subscribers must explain the breach, provide information about how to get in touch with the service provider and recommend steps to reduce the harms suffered by the breach.[94] This provision is intended to ensure that consumers are notified about the potential risks they face in light of the breach and provide them with an opportunity to mitigate those threats, such as modifying passwords and closing their accounts.[95] This is the fundamental policy rationale underpinning the ePrivacy Directive.[96] Barcelo and Traung have observed, though, that citizens’ expectations for harm protection are not met by the revised ePrivacy Directive, as it currently stands, because ‘[f]rom a user perspective, it does not matter whether personal data are lost by a provider of communications services or by someone else.’[97]

The fact that individuals are only notified if the breach is likely to adversely affect their privacy or personal information is meant to solve the problem of over-notification and notification-fatigue, discussed above, without significantly undercutting the citizens’ right to be informed.[98] This appears to address the problem raised by the California data breach notification model, whereby the threat of reputational sanctions may encourage an organisation to cover up a breach and not ‘self-trigger’ its notification requirement. However, regulatory authorities are entitled to conduct audits to determine whether or not providers have fulfilled their reporting requirements and are further able to impose sanctions in the event of non-compliance.[99] In addition, they can also overrule a finding by a breached organisation of the decision that there is no possibility of injurious effects.[100]

The ePrivacy Directive also requires covered entities to take steps to safeguard data so that access can only be gained by authorised persons for lawful purposes, which includes putting a security policy in place with respect to the processing of personal data, and safeguarding the data against inadvertent or illicit destruction, loss, modification, access or leak.[101] Indeed, notification is not required if the covered entity can show that it had the appropriate defence mechanisms in place, such as those which would render data unintelligible to anyone without authorisation to access it (and if those were in use with respect to the compromised data at the time of the breach).[102] This is essentially the codification of the ‘encryption exemption’ discussed above, which is designed to encourage organisations to adopt appropriate post-hoc security measures. Covered entities must also keep a record of all breaches, which must include: the specifics of the breach; the outcome; any corrective measures taken; and any other pertinent data demonstrating compliance with the breach notification requirement.[103]

The requirement for covered entities to implement robust security measures to safeguard against data security breaches is clearly meant to encourage service providers to invest in technological protection mechanisms to protect the data and prevent breaches from occurring. The underlying rationale is that they will augment their investment in security and implement internal policies and procedures to better protect personal data.[104] Although the failure of non-covered entities to adopt these measures on a voluntary basis suggests the need for formal regulation,[105] the Carnegie Mellon study, discussed above, in which the researchers found that similar kinds of data security breach notification measures implemented in the US reduced data theft by merely 1.8 per cent overall, demonstrates how difficult it is to implement effective enforcement mechanisms in this area. At the same time, though, the EU data security breach framework strikes a reasonable balance between the individual’s right to be informed about breaches that may affect their personal privacy and the obligations imposed on covered entities; and, moreover, it is supported by rigorous enforcement mechanisms, which provide authorities with investigation and sanction powers in the event of non-compliance.[106]

2 Mandatory Data Breach Notification Laws in Australia

Australia does not currently have mandatory data breach notification laws. However, the Privacy Commissioner, who is part of the Office of the Australian Information Commissioner (OAIC), encourages notification by entities in accordance with the OAIC’s voluntary guidelines, entitled the ‘Guide to Handling Personal Information Security Breaches’.[107] The goal of the voluntary guidelines is to enhance security whilst encouraging and fostering transparency about the privacy practices of Australian organisations. The Australian Privacy Commissioner, Timothy Pilgrim, indicated that the voluntary scheme has been successful, as witnessed by the fact that in 2011-2012, the OAIC received 46 voluntary data breach notifications. In 2010-2011, the OAIC received 56 voluntary data breach notifications.[108]

Nevertheless, following the lead of the ALRC, the Federal Attorney General, under the leadership of the now-defunct Gillard Government, released a discussion paper in October of 2012 seeking comment from stakeholders on whether to introduce new laws to make the notification of data breaches mandatory at the federal level.[109] This proposal focused on amendments to the Privacy Act (Cth) 1988 as a means to implement data breach notification laws across Australia. While there are obligations in the Privacy Act to keep personal information secure from mishandling and illegal access, there is no requirement for agencies and organisations to notify individuals, regulators or law enforcement agents about data breaches.[110] This means that while covered entities are obligated to minimise the likelihood that personal information within their possession could be compromised, they are not required to notify any individual or agency in the event of an actual security breach.[111]

Following an extensive period of government inquiry, recommendation and reporting on this issue, the Gillard Government introduced mandatory data breach notification laws at the end of May 2013.[112] If passed, the Bill would have amended the Privacy Act to introduce a new mandatory data breach notification system for ‘Australian Privacy Principle (APP) Entities’[113] which include public sector agencies, private sector organisations (other than small business), credit reporting bodies and credit providers.[114] The mandatory data breach notification scheme put forward by the Gillard Government earlier this year replicated much of what the ALRC advocated in its 2008 discussion paper, including that the trigger for notification should be where the breached entity believes that a breach ‘may give rise to a real risk of serious harm to any affected individual.’[115] Indeed, the threshold for notification under the Bill was based on a reasonable belief by the entity that the data breach is a ‘serious data breach’ which means that it is significant enough to pose a real risk of serious harm to affected individuals.

However, the Bill was not clear on the meaning of ‘serious harm’ other than to note that it includes harm to reputation, economic harm and financial harm, as long as the risk is not remote.[116] In the end, it will be up to the breached entities themselves to assess each violation on a case-by-case basis to determine whether the circumstances of the breach give rise to a reasonable belief that affected individuals face a real risk of serious harm. This may mean that affected companies have to provide notice to an extremely wide class of individuals, who might then want to seek compensation through a class action.[117] For that reason, breached entities may fail to self-trigger their notification requirement and cover up breaches due to the threat of reputational harm, as discussed in Part I above.

Under the proposed Bill, an organisation would have been required to notify the Australian Information Commissioner in the event of a serious breach, outlining among other things, the details of the serious breach; the compromised information; and any remedial steps that victims should take. The Bill also required the breached entity to notify each affected individual as soon as practicable with the following information: the identity and contact details of the breached entity; a description of the data breach; the kinds of information concerned; recommendations about the steps that individuals should take in response to the data breach; and any other information specified in the regulations.[118] The breached entity must provide this information directly, or take reasonable steps to notify the individual, or, if this is not possible, publish a copy of the statement on its website and in each state via newspaper publication.[119]

These notification requirements are problematic, however, for the same reasons discussed above with respect to the California data breach notification model. The broad scope of the term ‘serious harm’ gives rise to the possibility that organisations will over-notify (particularly if they fear recrimination by the OAIC) thus leading to notification fatigue, and other related problems discussed earlier. Moreover, reputational sanctions, by themselves, have been shown to be ineffective because individual consumers are generally reluctant to act with their feet and leave a breached organisation, or are not equipped to do so for a variety of reasons, as set out in Part I.

The Australian Information Commissioner could also exempt organisations from having to publicly report data breaches if it is deemed to be in the public interest, such as where doing so would impede a law enforcement investigation.[120] The Bill also enabled the Australian Information Commissioner to direct an entity to notify affected individuals if they have not done so. A failure to comply with the notification requirement further triggers the Commissioner’s enforcement powers, including the power to award compensation and civil penalties for serious or repeated infractions.[121]

At first glance, the requirement of notification to the Australian Information Commissioner appears to get around the problem of non-reporting that the fear of reputational sanctions can give rise to, as discussed above. However, this is unfortunately not the case because the proposed law would not have applied to the bulk of private sector companies in Australia (as it only applied to ‘APP Entities’) and, moreover, not all data breaches were required to be notified to the Commissioner, rather only those where the ‘risk is not remote.’ These issues would need to be re-examined before data breach notification laws could be effectively implemented in Australia.

3 Achieving Enhanced Regulation and Data Protection

There is a close nexus between the failure to safeguard personal information, and the occurrence of data security breaches, and this is measurable in terms of economic harm, or financial liability.[122] Indeed, the primary goal of data breach notification law is to minimise the pecuniary loses that emanate from unauthorised access to personal information, particularly in the context of identity theft. This is the primary goal of the reputational sanctions that underlie breach notification statutes: through negative publicity, an organisation can be compelled to change its information security practices, resulting in fewer breaches, and therefore less cost to individual and organisational victims.

However, it is short-sighted to rely on notice alone to protect against the problems that flow from data security breaches. Without doubt, the real concern is not with notification, by itself, but with unsuccessful data security practices within organisations. From this perspective, data breach notification laws that don’t incorporate information security and risk assessment procedures are not likely to achieve long-term success because they provide few incentives to encourage full disclosure and regulatory compliance over time.[123] While notification might be a useful way to gain a better understanding of the scope and scale of the problem, as well as to give customers more control over their personal information and encourage organisations to boost their network security, it is not going to prevent data breaches from occurring over time.[124]

Moreover, the traditional model of data breach notification laws, discussed above, fails to differentiate between organisations that implement good quality information security practices in the long-term, and those that demonstrate a wonton and reckless disregard for the personal information they are responsible for protecting.[125] What is needed is a processed-based model that combines corporate accountability and the implementation of effective technical and non-technical organisational practices.[126] More collaborative forms of regulation can be expected to reduce the need for punitive measures, as well as decrease the cost of public enforcement (particularly when non-compliance within organisations is difficult to detect and easy to cover up).[127]

The process-oriented approach to regulation has become the instrument of choice for managing risk in publicly traded companies, as well as banks, in the US.[128] Organisations in a multiplicity of different industry sectors are now required by law to abide by industry-specific ‘soft’ management process standards, such as the GLBA, discussed above, and establish risk-assessment and information security schemes to protect information.[129] Since ‘risk’ itself is highly context-specific, and plays out differently across a range of diverse industry sectors, the choice of security measures and technology implemented can depend upon the type of organisation, in terms of its size, its sophistication/complexity, the type and scope of its business activities, as well as the nature and quality of the data protected.[130]

A risk-based approach uses less coercive forms of regulation and emphasises self-regulatory initiatives wherever possible.[131] It allows for mitigation objectives to be determined internally, on an individual basis, according to the idiosyncratic threats faced by the organisation at the relevant time period, as well as the costs of responding to them.[132] The goal is to simply set ‘reasonable’ standards for information security, and leave it up to the regulated entities to develop their own security processes, rather than stipulating the measures that must be adopted, or the outcomes that must be achieved.[133] Ultimately, this leaves regulated firms with the task of setting appropriate standards, and it enables them to review, rework and revise their own risk-reduction goals independently, particularly as technology progresses.[134]

Along these lines, the regulator can identify best practices for safeguarding against data security breaches, which might include keeping up to date with evolving industry standards and procedures, network intrusion identification, encryption, firewalls, and the like, as well as risk management, auditing, and employee background checks. The regulator could also require the development of reasonable physical, administrative and technical security procedures and practices (preferably, in writing) to manage and offset these risks (as well as to achieve objectives, such as guaranteeing the availability of systems and data, preventing unlawful or accidental destruction, modification, loss or leak of information and ensuring the confidentiality, reliability and safety of information).[135] The periodic monitoring and testing of these mechanisms, including making adjustments and implementing updates, when necessary, is also important. As such, undertaking independent audits of physical and technical security, both internally and by independent third-party professionals, where applicable, and reporting, as well as incident tracking, might also be required.

For their part, organisations can identify key information assets (including communications and processes, as well as information systems) and implement risk assessments to identify (internal and external) vulnerabilities and risks. In addition, they can assess the likelihood that each threat will occur and evaluate the potential harms that might arise. Organisations can further prevent employee mistake or misconduct, including outright fraud, by controlling access to particular types of workers, or certain kinds of data. They can also audit for compliance and monitor, in real time, for threats to network security, whilst flagging suspicious activity.[136] Along these same lines, the training and education of employees about the threats or vulnerabilities the organisation faces, as well as the security program and incident response plan (including developing education tools/techniques; effectively screening and monitoring employees, as well as imposing sanctions, when necessary) is critical.

Conclusion

Mandatory data breach notification laws brought much-needed attention to areas of concern that were previously unknown, particularly organisational inadequacies regarding the security of personal information, and led to innovative organisational practices and regulatory initiatives. This is important given that there is little or no incentive for private and public organisations to report data breach information on their own, particularly given the fear of reputational sanctions.[137] Yet, data breach notification laws can also bring publicity to breaches that are relatively minor, and not likely to have a significant impact given the low risk of identity theft, which can unnecessarily lead to costly legal action or regulatory enquiry.[138]

Corporate obligations regarding security originate from many sources, including common laws, statutes and regulations, contracts and industry standards, and they cover a wide range of data types, not just personal information.[139] In addition to these obligations, we have witnessed a global trend toward the enactment of laws and regulations that impose a duty to disclose data security breaches. Many countries, including Australia, are currently implementing this scheme to address the problem of identity theft. Data breach notification laws can be beneficial for Australians, but only if they are implemented in a manner that seeks both to reduce harm from breaches and augment data security to stop breaches from occurring. They must also be implemented in conjunction with other regulatory initiatives designed to increase voluntary compliance and self-regulation, as well as investigation and independent oversight functions, such as through periodic security audits.[140]

Data breach notification laws can play an important role in transforming business practices and increasing consumer awareness through increased media coverage and post-hoc measures. This can have an impact upon the way that an individual employee thinks about his or her role in managing data on a day-to-day basis. For example, if he or she recognises that a breach can result in the loss of individual social security numbers, with the potential for significant corporate liability in terms of lost revenues and negative publicity, this can have a direct impact on how the employee treats consumers’ personal information.[141]

Thus, the potential for public recrimination triggered by notification can strengthen awareness of sound data security practices within organisations. Mandatory data breach notification laws can therefore be effective at fostering good data security awareness, as well as increasing transparency and accountability with respect to information security practices, both to avoid ‘brand tarnishing’ issues and to achieve a competitive advantage.[142] However, reliance upon a single form of regulation is not likely to be effective at achieving modern policy goals in today’s complex global information society. More pragmatic and functional regulatory mechanisms in this area should rely on the enhancement of sound business practices and IT security measures that could lead to a reduction in costly breaches over time.


[*] BA; LLB; LLM; PhD (Law). Associate Professor, Bond University, Faculty of Law, Gold Coast, Australia.

[1] Cecile de Terwangne, ‘Is a Global Data Protection Regulatory Model Possible?’ in Gutwirth, et al (eds), Reinventing Data Protection? (Springer, 2009) 177.

[2] Vincent R Johnson, ‘Cybersecurity, Identity Theft and the Limits of Tort Liability’ (2005) 57 Southern California Law Review 255; Paul M Schwartz and Edward J Janger, ‘Notification of Data Security Breaches’ [2007] MichLawRw 59; (2006) 105 Michigan Law Review 913, 917.

[3] Ibid 917.

[4] Commonwealth of Australia, Attorney-General’s Department, ‘Australian Privacy Breach Notification’ (Discussion Paper, October 2012) 2

<http://www.ag.gov.au/Consultations/Documents/AustralianPrivacyBreachNotification/AustralianPrivacyBreachNotificationDiscussionPaper.PDF> .

[5] Ibid.

[6] The Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 was recently circulated by the Federal Attorney General’s Department on a limited and confidential basis. Darren Paul, Exclusive: Data Breach Notification Bill Revealed (2 May 2013) Secure Business Intelligence Magazine

<http://www.scmagazine.com.au/News/341776,exclusive-data-breach-notification-bill-revealed.aspx> .

[7] Australian Law Reform Commission (ALRC), Review of Australian Privacy Law, Discussion Paper No 72 (September 2007)

<http://www.austlii.edu.au/au/other/alrc/publications/dp/72/> .

[8] Commonwealth of Australia, Attorney-General’s Department, above n 4, 5.

[9] Mark Burdon, Bill Lane and Paul von Nessen, ‘The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments’ (2010) 26(2) Computer Law & Security Review 115.

[10] Ibid.

[11] Ibid.

[12] Jacqueline May Tom, ‘A Simpler Compromise: The Need for a Federal Data Breach Notification Law’ (2010) 84 St John’s Law Review 1570, 1577.

[13] Pierre Trudel, ‘Privacy Protection on the Internet: Risk Management and Networked Normativity’ in Gutwirth, et al (eds), Reinventing Data Protection? (Springer, 2009) 318.

[14] de Terwangne, above n 1, 175.

[15] Ibid.

[16] Trudel, above n 14, 329.

[17] Tom, above n 12, 1569.

[18] California Legislative Counsel’s Digest, Bill Number: SB 1386

<http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020630_amended_asm.html> . See also Benjamin Wright, ‘Internet Break-ins: New Legal Liability’ (2004) 20(3) Computer Law and Security 171, 171.

[19] Priscilla M Regan, ‘Federal Security Breach Notifications: Politics and Approaches’ (2009) 24(3) Berkley Technology Law Journal 1103, 1105.

[20] Ibid.

[21] Ark Code Ann §§ 4-110-101 to 108 (2010).

[22] de Terwangne, above n 1, 180-181.

[23] Kristof van Quathem, ‘Personal Data – Security Breach Notification in the European Union: First Step Taken, More to Come’ (2010) World Data Protection Report, Bureau of National Affairs, 21

<http://www.cov.com/files/Publication/3c4eadcd-c074-44f8-925f-4a63d5304d70/Presentation/PublicationAttachment/9c8fb8a0-b55a-4464-ac4b-4a7722eda833/Security%20breach%20Notigication%20in%20the%20EU,%20first%20step%20taken,%20more%20to%20come.pdf> .

[24] Sasha Romanosky, Rahul Telang and Alessandro Acquisti, ‘Do Data Breach Disclosure Laws Reduce Identity Theft?’ (2011) 30(2) Journal of Policy Analysis and Management 256.

[25] Ibid.

[26] van Quathem, above n 23, 21.

[27] Cal Civil Code § 1798.82(e) (2006). The Califonia Civil Code § 1798.82(e)–(f) (2006) defines ‘personal information’ as:

(e) ... an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

(1) Social security number.

(2) Driver’s license number or California Identification Card number.

(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

...

(f)(1) For purposes of this section, ‘personal information’ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

See also Flora J Garcia, ‘Data Protection, Breach Notification, and the Interplay Between State and Federal Law: The Experiments Need More Time’ (2007) 17 Fordham Intellectual Property Media and Entertainment Law Journal 693, 703.

[28] Schwartz and Janger, above n 2, 932.

[29] Ibid. Note that in California, notice may be either written or electronic.

[30] Ibid, 941.

[31] Cal Civil Code §1798.82(c) (2006).

[32] Schwartz and Janger, above n 2, 943.

[33] Ibid 943.

[34] Cal Civil Code §1798.82(b) (2006).

[35] Ibid §1798.82(d).

[36] Burdon, Lane and von Nessen, above n 9, 117.

[37] Schwartz and Janger, above n 2, 938.

[38] Ibid 916.

[39] Ibid 917.

[40] Ibid 936.

[41] Ibid 937.

[42] Ibid.

[43] Ibid 939.

[44] Ibid 944.

[45] Larry Greenemeier, The TJX Effect: Details of the Largest Breach of Customer Data are Starting to Come to Light (11 August 2007) InformationWeek <http://www.informationweek.com/the-tjx-effect/201400171> Jacob W

Schneider, ‘Preventing Data Breaches’ (2009) 15 Boston University Journal of Science and Technology Law 279.

[46] Schwartz and Janger, above n 2, 946. Note that this issue is explored in further detail above.

[47] Ponemon Institute, National Survey on Data Security Breach Notification (26 September 2005) White & Case, 3

<http://www.whitecase.com/files/FileControl/863d572d-cde3-4e33-903c-37eaba537060/7483b893-e478-44a4-8fed-f49aa917d8cf/Presentation/File/Security_Breach_Survey%5B1%5D.pdf> .

[48] Ibid.

[49] Schwartz and Janger, above n 2, 947.

[50] Wenbo Mao, Modern Cryptography: Theory and Practice (Prentice Hall, 2004) 24. Encryption involves the transformation of digital information from plaintext to ciphertext so that it is unintelligible to anyone without the correct decryption key.

[51] Cal Civil Code § 1798.82(e)–(f) (2006).

[52] Mark Burdon, Jason Reid and Rouhshi Low, ‘Encryption Safe Harbours and Data Breach Notification Laws’ (2010) 26(5) Computer Law & Security Review 520.

[53] Ibid 2.

[54] Sean C Honeywell, ‘Note, Data Security and Data Breach Notification for Financial Institutions’ (2006) 10 North Carolina Banking Institute 269, 296.

[55] Michael E Jones, ‘Data Breaches: Recent Developments in the Public and Private Sectors’ (2007) 3(3) I/S: Journal of Law and Policy for the Information Society 555, 564. According to Avivah Litan, the Vice President of Gartner Inc, who testified at a congressional hearing on this issue, encryption is estimated to cost roughly US$5 per user during the first year and US$1 for each account in subsequent years.

[56] Honeywell, above n 54, 296.

[57] Ibid. Another problem is that the states use different terms to determine what constitutes effective encryption standards. And, moreover, some are so broad and poorly defined, such as Maine’s definition of encryption based on ‘generally accepted practices’ that they are ineffective.

[58] Burdon, Reid and Low, above n 52, 14.

[59] Burdon, Lane and von Nessen, above n 9, 117; Schwartz and Janger, above n 2, 925.

[60] Sara A Needles, ‘The Data Game: Learning to Love the State-Based Approach to Data Breach Notification Law’ (2010) 88 North Carolina Law Review 267, 280.

[61] Tom, above n 12, 1571.

[62] Jane K Winn, ‘Technical Standards as Data Protection Regulation’ in Gutwirth, et al (eds), Reinventing Data Protection? (Springer, 2009) 202.

[63] Gramm-Leach-Bliley Act of 1999, 15 USC § 6801, 6805 (2000).

[64] Needles, above n 60, 294.

[65] Winn, above n 62, 202.

[66] Ibid.

[67] The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was passed as part of economic stimulus legislation and amended the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’): American Recovery and Reinvestment Act of 2009, Pub L No 111-5, § 13421, 123 Stat 115, 276 (codified at 42 USC § 17951).

[68] Ariane Siegel et al, ‘Survey of Privacy Law Developments in 2009: United States, Canada and the European Union’ (2009) 56 Business Law 285, 286.

[69] Tom, above n 12, 1570.

[70] Data Security and Breach Notification Act of 2012 (s 3333); 112th Congress, 2d Session (‘Data Breach Act’).

[71] Schwartz and Janger, above n 2, 925. Note these states include Arkansas, California, Nevada, North Carolina, Rhode Island, Texas and Utah.

[72] Fred H Cate, Information Security Breaches and the Threat to Consumers (September 2005) The Center for Information Policy Leadership at Hunton & Williams LLP <http://www.fredhcate.com/Publications/Information_Security_Breaches.pdf> .

[73] Note that a Directive is a legislative act of the European Union which requires all EU member states to implement laws to achieve the stated result.

[74] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector [2002] OJ L 201/37 (Directive on privacy and electronic communications).

[75] Rosa Barcelo and Peter Traung, ‘The Emerging European Union Security Breach Legal Framework: The 2005//58 ePrivacy Directive and Beyond’ in Gutwirth et al, (eds), Reinventing Data Protection? (Springer, 2009) 80.

[76] Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws [2009] OJ L 337/11. See also Barcelo and Traung, ibid 77.

[77] Francoise Gilbert, Coming Soon to the European Union: Security Breach Disclosure Requirements (2013) Global Privacy Book

<http://www.globalprivacybook.com/blog-european-union/295-coming-soon-to-the-european-union-security-breach-disclosure-requirements> . On 6 May 2009, the European Commission (with the support of the European Parliament and Council of Europe) committed itself to begin working on a proposal for a general data breach notification law applicable to all entities holding personal data.

[78] Stephen Gardner and Jabeen Bhatti, EC Proposes Expanding Security, Breach Notice Obligations to EU Critical Sectors (19 February 2013) Global Law Watch

<http://www.globallawwatch.com/2013/02/ec-proposes-expanding-security-breach-notice-obligations-to-eu-critical-sectors/> . Note, though that this reporting requirement would not apply to breaches of personal data but to systemic cyber-attacks that compromise data systems.

[79] Ibid.

[80] Barcelo and Traung, above n 75, 79.

[81] Ibid.

[82] Article 2(a) continues: ‘in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.’

[83] Generally speaking, traffic data includes any data relating to the transmission of a communication, indicating its source, destination, pathway, time/date, size, or type of service. This includes data about an email (ie in a ‘draft’ box, an ‘inbox’, or in transit), the source, destination, size, heading, as well as the URLs visited, time spent online, and requests made to search engines for data and downloads.

[84] Barcelo and Traung, above n 75, 89.

[85] Article 2(h): ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure , of or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community.’

[86] Barcelo and Traung, above n 75, 81.

[87] Article 4(3).

[88] Barcelo and Traung, above n 75, 91.

[89] von Quathem, above n 23, 19.

[90] Ibid 20.

[91] Article 4(3)(5).

[92] Article 4(3)(2).

[93] von Quathem, above n 23, 19.

[94] Article 4(3)(5).

[95] Barcelo and Traung, above n 75, 81.

[96] Recital 59 states ‘the notification of security breaches reflects a general interest of citizens in being informed of security failures which could result in their personal data being lost or otherwise compromised, as well as of available or advisable precautions that they could take in order to minimize the possible economic loss or social harm that could result from such failures.’

[97] Barcelo and Traung, above n 75, 88.

[98] Ibid 91.

[99] Article 4(4).

[100] Article 4(3)(4).

[101] Barcelo and Traung, above n 75, 83.

[102] Article 4(3)(3).

[103] Article 4(4).

[104] Barcelo and Traung, above n 75, 83.

[105] Winn, above n 62.

[106] Barcelo and Traung, above n 75, 104.

[107] Office of the Australian Information Commissioner, Guide to Handling Personal Information Security Breaches (2008) <http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breach-notification-a-guide-to-handling-personal-information-security-breaches> . The guidelines were intended to help

organisations respond effectively to an information security breach and to identify those situations when notification is appropriate.

[108] Office of the Australian Information Commissioner, Annual Report 2011-12, Message from the Privacy Commissioner, Timothy Pilgrim <http://www.oaic.gov.au/about-us/corporate-information/annual-reports/oaic-annual-report-201112/message-from-the-privacy-commissioner-timothy-pilgrim> .

[109] Minter Ellison Alert, ‘Federal Government Now Looks at Mandatory Data Breach Notification’ (19 October 2012) Minter Ellison

<http://www.minterellison.com/publications/federal-government-now-looks-at-mandatory-data-breach-notification/> .

[110] Information Privacy Principle 4 and National Privacy Principle.

[111] Commonwealth of Australia, above n 4.

[112] Privacy Amendment (Privacy Alerts) Bill 2013 (Cth). Just prior to this, in early May 2013, the Australian Attorney General’s Department circulated a confidential draft exposure bill, which would force organisations to notify the Australian Information Commissioner, affected consumers and occasionally the media when data breaches occur.

[113] Office of the Australian Information Commissioner, Privacy business resource 2: Privacy Act reforms – Checklist for APP entities (organisations)

<http://www.oaic.gov.au/privacy/privacy-resources/privacy-business-resources/privacy-business-resource-2-privacy-act-reforms-checklist-for-app-entities-organisations> .

[114] The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) passed through the Australian Parliament on 29 November 2012 and received royal assent on 12 December 2012. The reforms commence on Wednesday 12 March 2014. See:

<http://www.oaic.gov.au/publications/FAQs/privacy_law_reform_faqs.html> .

[115] ALRC, above n 7.

[116] Sections 26ZE and 26ZF.

[117] Allie Coyne, Data breach laws to drive class actions: IAA (4 June 2013) SC Magazine <http://www.scmagazine.com.au/News/345501,data-breach-laws-to-drive-class-actions-iia.aspx> .

[118] Section 26ZB(2).

[119] Section 26ZB.

[120] Section 26ZB

[121] Pursuant to the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 (Cth), offenders could face fines up to $22,000 for individuals and $110,000 for organisations. Repeat and serious offenders would have faced financial penalties of up to $220,000 for individuals or $1.1 million for organisations.

[122] Needles, above n 60, 281. Such as with respect to lost revenue, share devaluation, as well as notification and remediation costs.

[123] Jane K Winn, ‘Are Better Security Breach Notification Laws Possible?’ (2009) Berkley Technology Law Journal 1133, 1159.

[124] Note that this sentiment was expressed by various law enforcement officials in Australia when they were asked, as part of a study into the anticipated outcome and effectiveness of the implementation of mandatory data breach notification laws in that country. One participant responded: ‘The thing you have to remember about breach notification is that it’s not a solution ... Breach notification is exposing the problem that doesn’t assume we have solutions for those problems.’ Another participant remarked: ‘Mandatory disclosure is a too simplistic response to a complex set of circumstances ... it pretends that the problem is simple and the solutions are simple and it isn’t.’ See Bill Lane, Mark Burdon, Evonne Miller and Paul von Nessen, ‘Stakeholder Perspectives Regarding the Mandatory Notification of Australian Data Breaches, (2010) 15(2) Media and Arts Law Review 149, 158.

[125] Winn, above n 123, 1159.

[126] Regan, above n 19, 1114.

[127] Winn, above n 62, 201.

[128] Kenneth A Bamberger, ‘Technologies of Compliance: Risk and Regulation in a Digital Age’ (2010) 88(4) Texas Law Review 669, 672, 680.

[129] Ibid 680.

[130] Ibid 673.

[131] Winn, above n 62, 201.

[132] Thomas J Smedinghoff, The State of Information Security Law: A Focus on the Key Legal Trends (May 2008) SSRN 17 <http://ssrn.com/abstract=1114246> DOI: <http://dx.doi.org/10.2139/ssrn.1114246> .

[133] Bamberger, above n 128, 673. Bamberger contrasts this approach with the one largely adopted by environmental regulators.

[134] Smedinghoff, above n 132, 18.

[135] Note that this can include a range of considerations, such as: determining the appropriate measures to safeguard against destruction, loss or damage to information due to environmental hazards or technological breakdown; access restrictions to buildings and facilities; technical access controls to prevent unauthorised access to information systems and data; intrusion detection systems to monitor attempted intrusions and break-ins, both in the physical and virtual sense; employee monitoring and detection mechanisms, such as background checks, and controls to prevent unauthorised access, particularly after the termination of employment; the development of an effective incident-response plan, in the event that a security breach is suspected, including backup data plans, disaster management, data recovery procedures and containment; system security, as well as data security, confidentiality and storage, not only on-site, but also in terms of off-shore storage, processing, and destruction of data and/or hardware, especially where third-party contractors are involved, or where cloud-storage is used: Smedinghoff, ibid 24-25.

[136] Bamberger, above n 128, 686, 715.

[137] Garcia, above n 27, 693.

[138] Schwartz and Janger, above n 2, 928.

[139] Smedinghoff, above n 132, 1.

[140] Winn, above n 123, 1160.

[141] Kenneth Bamberger and Deirdre Mulligan, ‘Privacy on the Books and on the Ground’ (2011) 63 Stanford Law Review 247, 276.

[142] Ibid 293.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/2013/8.html