Call for mandatory data breach disclosure laws

June 22, 2015 |

There has been yet another call for mandatory data breach notification laws, this time from a cyber security firm, FireEye as reported by the Fairfax press in ‘We need accountability’: Security firm warns that we needs mandatory data breach disclosure laws.  The history of privacy law reform in Australia is replete with many calls followed by prolonged silences.  Reform is invariably slow, late and inadequate.

The article provides:

Cyber security firm FireEye says the Abbott government needs to introduce mandatory data breach disclosure laws sooner rather than later after more than 30,000 iiNet customers had their passwords hacked.

Fairfax Media recently reported that an anonymous hacker was selling or trading a database of Westnet, a WA-based internet service provider that was acquired by iiNet in 2008.

Australian and New Zealand regional director at FireEye, Phil Vasic, said breaches in Australia are common, but disclosing them are not.

He said as few people knew about the breaches there was the perception cyber security wasn’t a problem, when in fact it was a critical issue.

Mr Vasic highlighted the recent case of online shopping giant Catch of the Day escaping any penalty, despite waiting three years to notify customers their personal information had been stolen.

“The Catch of the Day breach shows we need accountability and responsibility in breach disclosure,” he told Fairfax Media. “Three years is too long to wait before disclosing a breach.

“We can and should do better.”

Mr Vasic – whose forensic investigations arm Mandiant discovered evidence of Chinese state-sponsored attackers targeting Australian mining firms – said it was already too easy for hackers to steal confidential information from businesses.

But he said keeping these breaches under wrap just made it easier for criminals to target more victims.

“Often the credentials stolen in one attack are later used to perpetrate another – attacks that might have been prevented if those credentials had been changed by their owners once the breach was made public,” he said.

Mr Vasic said the lack of data breach notification laws in Australia also presented a national security challenge for Australia.

In March this year, Brandis and federal Communications Minister Malcolm Turnbull released a joint statement saying the Abbott government would introduce mandatory data retention laws.

The laws were in response to calls for telcos to disclose whether they lost any of their customers’ metadata, which they will now be forced to store following the introduction of a mandatory data retention regime.

A spokesman for federal Attorney-General George Brandis said the government was “committed to introducing a mandatory data breach notification scheme by the end of 2015”.

“The draft legislation setting out the proposed mandatory data breach notification scheme will be released for public consultation,” the spokesman said.

The Labor government previously introduced the Privacy Amendment (Privacy Alerts) Bill 2014, but it stalled in the senate.

Another bill was also proposed as far back as 2008 but also stalled.

One Response to “Call for mandatory data breach disclosure laws”

  1. Call for mandatory data breach disclosure laws | Australian Law Blogs

    […] Call for mandatory data breach disclosure laws […]

Leave a Reply