Australia to go without a working data-breach notification scheme until at least 2017

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.zdnet.com/article/australia-to-go-without-a-working-data-breach-notification-scheme-until-at-least-2017/

The earliest that Australia will now have a working data-breach
notification scheme is set to be sometime in 2017, after the
Attorney-General's Department released its exposure draft of amendments to
the Privacy Act to create such a scheme.

With consultation open until March next year, the legislative process yet
to begin, and any notification scheme set to commence a year after the Bill
passes parliament, that would leave Australia without a working data-breach
notification scheme until 2017 at the earliest.

In October, Australian Attorney-General George Brandis told the Senate that
data-breach notification laws would not be passed this year, but that the
legislation would be introduced into Parliament. However, that did not
occur.

At the same time, Australia's telecommunications companies are implementing
plans to create systems to retain data on their users. The data-retention
laws came into force in October, with telcos having 18 months' grace before
they would be considered non-compliant.

The Australian data-retention laws allow the nation's approved
law-enforcement agencies to warrantlessly access two years' worth of
customers' call records, location information, IP addresses, billing
information, and other data stored by telcos.

The Joint Parliamentary Committee on Intelligence and Security recommended
in February that Australia have data-breach notification laws in place
before the end of 2015, prior to the implementation phase of the
data-retention laws.

According to the exposure draft released yesterday, notification would only
need to occur for incidents involving personal information, credit card
information, credit eligibility, or tax file number information that would
put individuals at "real risk of serious harm".

"Serious harm, in this context, includes physical, psychological,
emotional, economic, and financial harm, as well as harm to reputation,"
the draft explanatory memorandum said. "The risk of harm must be real, that
is, not remote, for it to give rise to a serious data breach.

"It is not intended that every data breach be subject to a notification
requirement. It would not be appropriate for minor breaches to be notified,
because of the administrative burden that may place on entities, the risk
of 'notification fatigue' on the part of individuals, and the lack of
utility where notification does not facilitate harm mitigation."

The scheme would only apply to companies covered by the Privacy Act, and
would exempt intelligence agencies and small businesses from needing to
disclose breaches.

"Law-enforcement bodies will not be required to notify affected individuals
if compliance with this requirement would be likely to prejudice
law-enforcement activities," the draft memorandum said.

Under the requirements of the exposure draft, entities would need to notify
the Australian Information Commissioner and affected individuals if there
are reasonable grounds to believe that a serious data breach has occurred.
If an entity is not certain that a breach has occurred, it has 30 days to
investigate whether notification is needed.

The information contained within a notification would be a description of
the data breach, the kinds of information concerned, recommendations about
the steps that individuals should take, and contact details of the breached
entity. When communicating the notification, entities are allowed to use
any method of communication that it normally uses to communicate with users.

Penalties for non-compliance with the laws would see the Information
Commissioner able to initiate investigations, make determinations, seek
enforceable undertakings, and pursue civil penalties for serious or
repeated interferences with privacy.

"This approach will permit the use of less severe sanctions before
elevating to a civil penalty," the draft memorandum said. "These less
severe penalties could include public or personal apologies, compensation
payments, or enforceable undertakings.

"A civil penalty would only be applicable where there has been a serious or
repeated non-compliance with mandatory notification requirements. Civil
penalties would be imposed by the Federal Court or Federal Circuit Court on
application by the commissioner."

All telecommunications service providers that are subject to implementing
data retention would also be subject to mandatory data-breach notification,
whereas e-health providers would be subject to the mandatory data-breach
notification scheme under the My Health Records Act.

Submissions are able to be made to the Attorney-General's Department on the
draft until March 4, 2016.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!