Data breach notification laws spawn little fanfare.. another case of under estimating obligations and poor privacy culture

March 15, 2018 |

The national data breach notification laws are marching towards the first month of operation.  It is not surprising that there have been no reported notifications under the law.  It is necessary to find a breach first, check against the criteria and then notify.

The Information Commissioner’s education campaign has been undertaken with the usual low wattage intensity.  Attempting to fill the void are articles by operators in the industry.  Most reasonable, some quite good such as the Australian’s Laws force companies, governments to better protect their data.   It addresses issues which few organisations realise, that not only are there obligations under the Australian legislation but for organisations operating in other jurisdictions there needs to be compliance with their laws.  That is particularly the case with the EU and the obligations under the General Data Protection Regulation which comes into force in May.

The article provides:

Data recognises no borders. Any organisation with considerable volumes of data has cross-border commitments and responsibilities. Two new pieces of legislation throw this into sharp relief.

The Privacy Amendment (Notifiable Data Breach) Act 2017 ­became law in Australia on February 22. This will be followed by ­Europe’s General Data Protection Regulation in May, creating new obligations for large businesses and governments.

Both laws usher in obligations for Australian businesses to protect data from genuine and growing threats. By imposing new protection and disclosure obligations, these laws will encourage ­organisations to treat data as an asset.

However, both also add to the complex web of data privacy legislation that’s now being spun worldwide. Differences from one country to the next, and even at state level in some markets such as the US and Germany, are a challenge for any organisation with international operations.

Microsoft would like to see a two-pronged response to the emergence of these new pieces of legislation, one from all of our partners and other Australian businesses affected by the laws, under which they would take ­adequate steps to strengthen their data defences; and the other from governments, which should work together to address the inconsistencies that are multiplying across borders as data protection legislation proliferates.

First and foremost, we are ­advising that all companies ­develop a data asset strategy as a matter of priority. This is a pro­active step towards creating a ­culture of data security that customers and regulators demand in the modern information age.

Data management must no longer be confined to the backroom of the IT department and treated as an overhead. It must be treated like the strategic asset that it is.

As with other asset strategies, like those managing property, a data asset strategy should address how an organisation plans on acquiring, using and disposing of data in a legally compliant way.

Some groups will use data to create competitive differences, while others will avoid data to create pro-privacy business models. Either way, one thing is clear: executive leadership teams must own these strategic decisions.

Beyond the immediate need for businesses to comply with the law, we need to see greater harmonisation in how governments around the world work to rationalise the myriad international legislation that has emerged to govern this critical area of business.

Under the European GDPR ­regime, it would be illegal for a company to bring customer data from Europe into most other countries in response to a unilateral search warrant.

This type of legal conflict isn’t theoretical. We have declined to comply with similar legal orders in Brazil because they conflict with US law. As a result, we have been fined, and one of our local employees was criminally charged.

Neither people nor companies should be put in a position where complying with the laws of one country puts them in conflict with another country under whose laws they must operate.

Information continuously criss­crossing the globe is not just good news for the technology ­industry.

The OECD has pointed out how cross-border data flows enable companies from all industries, and of all shapes and sizes, to participate in the global economy.

Small and medium enterprises in particular benefit from access to new markets and trading opportunities.

The free flow of data supports the competitiveness of local economies and the functioning of global marketplaces. But appropriate privacy and security safeguards should underpin the data flows themselves.

The ongoing commitment to finding common ground across borders is a principle that should guide all our dealings in the digital era. This means improving the harmonisation of legal frameworks and standards, pursuing international dialogue based on shared values, and making ­existing rules such as Mutual Legal Assistance Treaties fit for the digital age.

When it comes to moving forward with confidence, we need to create a future that builds trust, and to build enduring trust, we must find ways to advance secure, inclusive and responsible digitalisation.

There have been other quite useful articles on the mandatory data breach notification laws including New mandatory data breach notifications laws to drag Australia into cyber age, an earlier article in the Australian titled Data breach reporting laws hit Australia with serious implications for businesses, Whitbread’s Mandatory Data Breach Notification laws: Important tips to protect your business and the quite helpful Mandatory data breach notification law is now in force.

What all of these articles miss however is that the legislation is complex, technical and requires a balancing of factors.  Having an understanding of what the law requires and then a plan to deal with a breach is the best way to be compliant.

Leave a Reply