Should Australia Disclose?
Should Australia Disclose?
August 15th, 2007: Alarm bells are sounding in some organisations this week, as Democrats senator Natasha Stott Despoja plans to introduce before parliament an amendment to the Federal Privacy act, to introduce data disclosure laws to Australia.
Data disclosure refers to informing customers when private data such as credit card information is stolen or lost in a ‘data breech’. A common way this occurs is through ‘phishing’ or scamming people over the internet with false enter your account details emails pretending to hail from major banks and auction sites like ebay and paypal. Despite the common misconception that we have a privacy act therefore everything is fine and dandy, currently “Australia has no legal mandates concerning the loss of private data” said Andrew Walls, Research Director at Gartner.
It’s surprising that the issue isn’t receiving more attention considering that a monstrous can of worms is on the verge of being opened. Data breeches are more common then you might think, however because Australian companies do not have to disclose when data is lost or stolen, they are free to carry on like it never happened, “without disclosure, consumers are being left in the dark” said Rich Mogull, research vice president at Gartner.
Mogull believes that the current disclosure climate in Australia now is similar to the US two years ago, right before data disclosure laws were introduced in California. The legislation has since been taken up in 40 states in the USA, with more taking it up all the time. Once the legislation passed it triggered a floodgate of reports and legal tussles which have a very real prospect of being repeated here.
US Data aggregation company, ChoicePoint were the first major case of an organisation complying with the California disclosure laws; where they reported the loss of private data to the 35,000 customers who were effected.
According to Mogull it was known “for a fact that breeches happened before the law went public, they just weren’t reporting it”. Because of this, organisations refused to spend money on preventing them as they had no reason to report it, this was basically a built in market force to keep your mouth shut. Mogull points out that even ChoicePoint, who were forced to comply with the new legislation only disclosed data breeches from the day the law passed, no losses from before that date were disclosed.
The fact that we haven’t had massive data breeches splashed all over the news doesn’t mean Australia is getting off easy, it’s just hidden. Australia is actually more vulnerable to data breeches owing to the fact that we have less major banking institutions here then in the US, making it much easier for phishing scams to scoop data off the unwary.
Senator Stott Despoja’s amendment act would open the door to data disclosure to potentially hundreds of thousands of Australians. Your private data may be lost or stolen in data breeches that organisations currently have no obligation to report. What is known for certain is once Australia’s own data disclosure floodgate is opened, the torrent will be strong. Some organisations may see the storm coming thanks to what happened in the US, but despite any corporate misgivings data disclosure seems to be on its way to our shores.