As of July 1, 2009, Australia does not have any laws regarding notification of data breaches. However, there are efforts underway to alert Australians (and the government) in the event a company or agency experiences a breach of sensitive data that could affect Australians. There will be exceptions, of course. For example, exceptions will be made if the personal information made adequate use of encryption software like AlertBoot.
The bad news is that such efforts won’t go into effect until next year at the earliest, according to Senator John Faulkner.
The ARLC’s Recommendation
The Australian Law Reform Commission (ALRC) has made recommendations to amend Australia’s Privacy Act, which requires something of a remedy in light of the dangers of the Information Age. The entire document, titled “For Your Information: Australian Privacy Law and Practice” can be found here.
The recommendations effectively boil down to 5 points:
The Privacy Commissioner and affected individuals must be contacted in the event of a data breach that involves personal information if it is believed the breach will cause harm
Personal information will be defined to include names, addresses, and other identifiers such as “Medicare or account numbers”
The risk of harm to individuals will take into consideration the use of adequate encryption and how (and why) the information was collected in the first place
The Privacy Commissioner can prevent the disclosure of a breach if it deems it against the interests of the public or affected individuals
Not notifying the Privacy Commissioner of a data breach that should have been reported will be grounds for a civil penalty (which, if I’m not wrong, is usually legalese for “monetary fines”)
That’s the gist of Recommendation 51-1 of ALRC Report 108. The actual report describing the reasons behind the recommendation is, of course, much longer and much, much more involved. No wonder the government needed at least a year and a half to even begin implementing it…
Adequate Encryption? A Floor vs. A Ceiling
Adequate encryption? Is the government trying to shaft Aussies? After all, shouldn’t they be looking for the “very best encryption,” as opposed to something that’s adequate?
It turns out that adequate encryption is usually more than good enough, and the very “best” encryption may not be the best solution. When it comes to data security and encryption, we can equate “the best” with “the strongest” form of encryption. The thing is, the stronger the encryption employed, the longer it takes to encrypt and decrypt data. Your data is technically more secure, but it means everything becomes relatively slower, which is not a good thing in this age where people’s fingers start to twitch when waiting five seconds for a website to load.
So, the trick is to find a point where one gets plenty of security while not waiting for the cows to come home. This means that one’s got to find a floor, as opposed to a ceiling, when it comes to the strength of encryption. In other words, something that is “adequate.”
AES-128 or Equivalent…For Now
Standards may vary, but currently (June 2009) the acceptable level of encryption is AES 128-bit encryption or equivalent. For example, the National Security Agency (NSA) had announced back in 2003 that AES-128 could be used for classified information at the “secret” level (whereas “top secret” would require something stronger, such as AES-256). Also, it’s probably what your bank uses for on-line banking services.
With time, though–as new vulnerabilities are found and as computers get faster and–the standard will shift, and 128-bit encryption will be dropped in favor of stronger encryption.