In recent times there have been some high profiles cases involving data breaches which have included telecommunication, technology, and other organisations. One of the companies involved was found to have breached the Privacy Act.
So no wonder many are again revisiting a recommendation from the Australian Law Reform Commission (ALRC) that mandatory data breach laws be introduced. Indeed some laws exist in Europe, United States and Japan.
At a recent event held by the International Association of Privacy Professionals, it was reported that there had been an increase in the number of incidents of data breaches that had been reported to the Privacy Commissioner.
It was reported by the Privacy Commissioner that his office had received 56 data breach notifications in the year to June 30 – up from 44 in the previous year. Often these notifications have come from responsible companies and organisations, there is concern that there are data breaches that go unreported.
Many may point to the costs involved in notification. The 2009 Australian Cost of a Data Breach study, conducted by US-based Ponemon Institute, showed organisations sustained financial losses of almost $2 million on average per incident.
We need to understand that there are many forms of data breaches. Some are serious and may involve the loss of personal financial data such as credit cards, and other data which may put consumers at risk of identity theft or fraud. Other breaches may result from a stolen laptop, mobile device or through human error.
We must strike the right balance between empowering organisations to take self-help measures to protect themselves (and their personal information) from serious threats, and avoiding the situation where notifications are so frequent, even for minor breaches which may not necessarily result in consumer harm.
Whatever the form of data breach, the key is to consider the impact of potential consumer harm, and having an effective system to respond. That’s why Microsoft recommends a multi-faceted approach to data governance that goes beyond just a policy solution. This includes companies and organisations using the most effective technology available to them to minimise risk; implementing effective auditing and reporting requirements for companies and organisations to ensure systems protecting data is in compliance with best practices; and providing reasonable time to notify consumers.
One should not ignore that reputation costs and legal exposure can accrue even where an organisation has taken all reasonable steps to guard against information security breaches. Consider, for example, the situation where an information security breach involving the disclosure of sensitive financial information occurs due to an employee’s failure to follow an organisation’s procedures for handling personal information. The organisation may nonetheless be liable. By notifying affected individuals of an information security breach of this kind, it is inevitable that at least some of those individuals will pursue their legal remedies for the unauthorised disclosure of their personal information. It is important to note that the Australian liability position for unauthorised disclosures of personal information arising out a failure to follow reasonable procedures is different from other jurisdictions.
A data breach notification system needs to be fair, reasonable, allow for a reasonable time period to respond, and be able to recognise different levels of data breaches may require different responses based on their potential for and level of consumer harm.
For more information on Microsoft’s position, view the document attached on data breach notification.
Sassoon Grigorian, Government Affairs Manager