It looks like Australia may finally join the rest of the world and push forward a data breach notification law. According to itnews.com.au, Attorney-General Mark Dreyfus is helming the introduction of a law mandating notifications when Australians’ personal information end up exposed. This time, it looks real (I blogged in 2009 that such laws were coming real soon. I guess I’m not quitting my day job for fortunetelling).
Update (02 MAY 2013): Well, well…perhaps I shouldn’t give up so fast on the fortunetelling. According to SC Magazine, drafts of the data breach notification law have been leaked (at least, “leaked” seems like the correct word, since they were stamped “confidential.”)
Among other things, this means more Australian companies will have to start considering the use of data security software and services, such as AlertBoot’s mobile device management security suite, or face the consequences when a data breach takes place.
Growing Number of Breaches Shows Need for Mandatory Notification
The road for mandatory reporting of data breaches is a long one. In 2008, the Australian Law Reform Commission (ALRC) published a report on privacy. This three-volume report also included recommendations on data breach notifications for Australia. When you take into consideration that the report is the culmination of a 28-month effort, you can see that the issue of data breach notifications could have been discussed as early as 2006. (The very first such law, California SB 1386, went into effect in 2002).
In 2009, it was rumored that Australia would be passing a mandatory data breach notification law “real soon”. Four years later, we’re still hearing the same story.
It’s Different this Time…?
But, this time, it’s different. In October of 2012, feedback was sought on a mandatory Australian data breach law. And, the Attorney-General commented that,
…the growing amount of breaches reported in the media continued to raise community concerns about the need for a mandatory scheme.
“If there continues to be under reporting of data breaches, or we continue to find out about them only through media reports, some would argue there is a strong case to move to a mandatory scheme,” he said.
Between 2011 and 2012, there was an 11% increase in privacy complaints. Plus, many surveys are showing that Australians support the idea of mandatory data breach notifications. The Privacy Commissioner has called for such a law as well.
Guide to Information Security Published
Another indication that Australians will see such a law sooner than later? The Office of the Australian Information Commissioner (OAIC) has released the final draft of the “Guide to Information Security: ‘Reasonable Steps’ to Protect Personal Information”.
While the guideline is not binding, the Commissioner has noted that “its recommendations provides [sic] the best insurance against data breaches” and that “[the OAIC] intend to refer to it when assessing compliance with the data security obligations under the Privacy Act.”
It looks like a number of different parameters are beginning to converge, and the writing is on the wall. If your company is based in Australia, this may be a good time to check out AlertBoot’s data security offerings: mobile security for BYOD (tablet and smartphone protection) and full disk encryption for laptops.