Data disclosure laws as inevitable as data theft itself
Data disclosure laws as inevitable as data theft itself
January/February Edition, 2008: The talk of so-called inevitable data disclosure laws in Australia are often viewed through American-Rimmed glasses. But there’s more than subtle differences between what’s going on across the pacific and what’s been tabled in Canberra that should be examined. Nathan Statz discloses the issue and finds even without the bill, organisations are best advised to prepare for change.
It’s not necessary to expect data disclosure legislation to mimic the legal changes made in the United States, as there will more than likely, be many differences.
Firstly, the United States has introduced data disclosure legislation on a state level, which started with Californian Senate laws forcing companies to tell their customers whenever their unencrypted private information was lost. Not only did this radically change the way companies in California had to handle privacy issues, it also influenced a wave of other states across the USA to implement their own data disclosure laws.
Australia by contrast, has an amendment to the Federal Privacy Act on the table in Canberra thanks to a bill proposed by Democrats Senator Natasha Stott Despoja. While there’s been a huge media wave around what this may mean, nothing has actually been set in stone. As the bill was tabled in the previous Parliament; it will also need to be re-tabled for discussion 2008 before anything concrete can emerge.
Stott Despoja is no stranger to the privacy debate and has frequently championed areas of privacy law reform for some time. The issue of data disclosure has evolved however, and Stott Despoja stating it’s, “increasingly obvious that the Privacy Act deals inadequately with the issue of data security.”
Stott Depoja says organisations and government agencies already have statutory obligations to maintain the security of personal information. “But even the most security conscious organisation or agency can become the victim of information theft,” she says.
What constitutes a data breach?
What exactly constitutes a data breach is often misunderstood. One of the more obvious examples of breaches occur when a malicious user gains illegal entry to a secure network and collects stolen information, but more often it’s the less malicious actions that are prominent - such as an employee looking at a file that they shouldn’t.
Australia has real examples of this type of data disclosure - such as Centrelink admitting it had recorded 367 instances of employee’s looking at data they shouldn’t be accessing, - such as a love interest’s financial records. Each one of these cases constituted a data breach.
It’s the definition of private data that makes the issue tricky and separates the Australian response to the US version of data disclosure. Because the amendment proposed to an existing Federal Act and not a brand new State law, any action would rely on the Privacy Act’s existing definition of what constitutes private data and not need to determine a new definition.
Why do we need it?
The need for data disclosure laws is based on common sense. If a customer’s sensitive information is leaked to those it shouldn’t be, then that incident should be reported so it doesn’t happen again. This is a natural part of being a good corporate citizen and while many organisations already report these incidents, not all do and even fewer report it when a breach has occurred to the customer themselves.
Senator Stott Despoja believes regulatory action is needed to ensure the customers affected know the breach has occurred. Drawing attention to the (then) Howard Government’s proposed Access Card project, Stott Despoja says the imperative to reform on data disclosure laws was heightened due to the rationalization and centralized mass databases of personal data this project would have generated.
“Depending on which side of the Access Card debate you stand on,” says Stott Despoja. “We’re lucky in a sense that this didn’t go ahead, at least lucky that it didn’t go ahead while we had no solid data disclosure laws in place to protect people from the loss of such a tremendous volume of information.”
Stott Despoja believes there is substantial evidence that suggests privacy breaches are occurring routinely in Australia. These claims are backed up by the number of examples emerging into the public eye, leaving us wondering how often leaks occur that we never actually hear about.
“The issue is flying under the radar and people are left in the dark as to whom their sensitive personal information may have been inadvertently disclosed,” says Stott Despoja.
According to Stott Despoja, there may be some resistance from the general commercial sector in relation to compliance issues, but she believes that it is in the interest of companies that hold personal data to be up-front about their data security policies and infrastructure.
Will the bill succeed?
Much like anything that gets discussed in the circular city that Parliament House calls home, it’s open to debate and likely to have several vocal critics. Andrew Walls, research director at analyst firm Gartner believes the strongest criticism of the bill will come from the lack of enforcement that the Privacy Act in general suffers from.
“The amendment won’t have too much impact if we aren’t even enforcing the current act. Passing the law doesn’t instantly make it happen,” he says.
Walls’ uses the example of the Privacy Commissioner, the last of which resigned in frustration, who doesn’t have enough power to enforce all aspects of the current privacy act, let alone an amendment. Whether the answer to this is more funding, a greater scope, or something completely different remains to be seen, but the problem with the existing situation is clearly identifiable.
However this doesn’t mean nothing will happen if the amendment goes ahead, there could quite easily be sweeping changes made and pressure applied for organisations to start reporting data breaches. Should this occur, it would naturally be accompanied with some kind of leeway for organisations to try and accommodate the changes.
“As with most legislation when you roll in a change that will effect business operations, you must have a grace period where those affected by the legislation can begin the process of change,” says Walls. “
“You would not instantly be hunted down because you were out of compliance, but rather you would need to move your organisation to the point that it could comply.”
There are other influences on the bill, such as the Australian Law Reform Commission’s (ALRC) review of the privacy act which began in 2006 and is due for presentation to the Government in March. Walls expects this will contain quite a few revelations as there have been numerous public data breaches occurring, plus the depth of the research will no doubt turn up quite a decent chunk of areas that could use some fine tuning, but for the most part it will be business as usual.
The land of opportunity?
Like anything, should regulatory change go ahead there will be winners and losers and a host of organisations that may ot even notice the difference. One of the major winners will be vendors in the consulting business, who will be the first point of contact for organisations who go into panic mode and try to get themselves compliance-ready. Other sectors such as security providers who sell data leakage prevention and encryption software will also benefit greatly in the initial rush that follows any such change.
According to Walls, there is also the problem of communication for data breaches, particularly for larger enterprise. Should a company holding customer financial records have a breach occur where a backup disk with one million records on it was lost, those customers would need to be informed.
“Assume it costs 50 cents for a letter to be bought and posted to each customer, when you have a breach of one million records then suddenly that’s a $500,000 business expense”
This is where data disclosure becomes a major concern for organisations, particularly those that may had data disks containing 10 million records or so. Reputation risk is another major cause for concern and will no doubt drum up further opposition to the changes.
Even without data disclosure laws the impact of breaches are already very destructive to an organisations, especially if it hits the press. It’s not just the actual credit card numbers being exposed, but al managing the fraud and loss of confidence as well as other issues pertaining to reputation management.
Walls refers to the Westpac Bank example, where the company publicly reported the hiccups its IT departments were having that lead to a data breach. This resulted in the public questioning how strong security was at Westpac when they should have been asking, why is Westpac the only one talking about it? How many other breaches are occurring that go unmentioned? The answer could quite easily be much higher than anyone anticipates.
What should be done now?
This bill may not be the smoking gun that lights up data disclosure reform across the nation. But something has to give, so it will be this or another completely new regulatory act that will change the nature of data disclosure laws.
This means there’s no real need for hesitation, because it’s only going to cost an organisation more in the long term. Plans are always more dangerous when they’re hatched in a rush but if an organisation starts on the road to compliance now, then change will come when it suits the business.
Walls suggests organisations with a heavy dependence on customer data or anything considered private under the Privacy Act should be working right now on the best practices for identifying breaches. A good start is to cut down on unnecessary data, as many organisations collect things like dates of birth and other sensitive information which they don’t really need.
“Gartner has been advising organisations that the best way of managing private data is to not have it, lots of businesses collect private data, but why does a DVD store need your date of birth,” asks Walls.
They don’t really need it unless they want to send you a birthday card, a lot of companies are collecting private data they don’t need and they keep it long after the reason for collecting it has expired.”
Outsourcing information management and security is another means building defence, as well as conducting a general review of current practices to establish the most efficient and effective methods for data disclosure reform.
It’s unclear whether Senator Stott Despoja’s amendment will make it through the rigors of parliamentary debate. What is clear is that data disclosure laws will be upon us sooner rather than later, so there’s little reason to hesitate - turning the cogs early on the giant wheel of change will get organisations ready.