• No results found

AISA Position Statement: Mandatory Data Breach Notification in Australia

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "AISA Position Statement: Mandatory Data Breach Notification in Australia"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

AISA Position Statement: Mandatory Data Breach

Notification in Australia

Overview

Although AISA members are broadly in support of mandatory data breach notification in Australia they have a number of concerns relating to the proposal as well as the provisions of the Privacy Act Amendment (Privacy Alerts) Bill 2013:

• Members generally would have preferred a notification trigger lower than “real risk of serious harm” and supported notification of any breach resulting from a security failure

• More detailed guidance on what “real risk of serious harm” might mean, including examples, would be appreciated

• In any case, members supported a review of the operation of the trigger after 24 months to assess its appropriateness

• Members would also have preferred a direct penalty regime for failure to notify in accordance with the provisions

• There are concerns regarding the ability of those small and medium organisations covered by the Privacy Act 1988 (Cth) to comply with the breach notification provisions

In regard to the proposed legislation, AISA is interested in why the notice requirement does not include reference to an “interference” which would ensure consistency between the notification requirement and the terms of APP11.1.

AISA would support the publication by the OAIC of details of reported data breaches to assist in our understanding of the causes, size and extent of privacy breaches in Australia.

Detailed Position:

AISA has been involved in the debate on the introduction of a mandatory data breach notification (MDBN) requirement in Australia for a number of years.

(2)

Attitudes to MDBN were first tested as part of a 2011 AISA member survey directed at providing high quality information into the Government’s cyber security white paper

development process. Membership attitudes were tested again in 2012 via a survey which sought responses to a number of questions broadly similar to those raised in the

Commonwealth of Australia Attorney-General’s Department Discussion Paper Australian

Privacy Breach Notification1 October 2012 (the Privacy Breach Notification Discussion

Paper). Survey results included the following:

• Only 8% of respondents reported that appropriate stakeholders were ‘almost always’ informed of security breaches. A large majority of respondents had experienced inadequate reporting of security incidents

• 72% agreed that Australia needs wider data protection laws (to protect data other than personal data).2

AISA subsequently made a submission in response to the Privacy Breach Notification Discussion Paper based on these survey results (which included responses from 285 members) and feedback from on-line discussions and direct contact from members, which included the following:

• Support for introduction of MDBN Law: An overwhelming majority of AISA members support the introduction of a data breach notification law. Although AISA recognises that data breach notification does not provide a holistic regulatory response to information security issues, it believes that its introduction will result in the increased awareness of information security failures resulting in data breaches. This will not only raise public awareness but will provide reliable information on data breaches for Government, including the extent, types and causes of breach. As well, it is hoped that, as has been reported in other jurisdictions, data breach legislation will increase management’s attention to information security risks, which can result in increased focus on the deployment of appropriate controls.3

1

<http://www.ag.gov.au/Consultationsreformsandreviews/Documents/AustralianPrivacyBreachNotificationDiscussionPap er.PDF>   

2

A copy of the November 2012 survey report can be made available on request to [email protected].

3

See, for example, the “State of SMB Cyber Security Readiness: UK Study” Prepared by Ponemon Institute,  November 2012 which shows that achieving compliance is the main driver for cyber security among  the small to medium UK businesses the subject of the survey. http://www.faronics.com/assets/UK‐ Faronics‐FINAL‐1.pdf  

(3)

There were concerns from some members around additional costs and compliance burden however it was expected that this would be considered as part of the design of the regulation.

• Trigger for notification: “Real risk of serious harm” is the notification trigger that has been adopted in the Privacy Act Amendment (Privacy Alerts) Bill 2013 (Cth) (the Privacy Alerts Bill). The AISA member view was that a lower trigger for notification should be introduced and that any trigger should specifically incorporate the concept of notification when a breach of data security has occurred.

AISA confirms its opinion that the notification trigger is too high. As well, AISA members strongly support the issuance by the Office of the Australian Information Commission (OAIC) of appropriate and more detailed guidance as to the meaning of the term “real risk of serious harm.”

It was the members’ view that there should be a review of any trigger after 24 months of operation to assess its efficacy, in terms of the objectives of the data breach notification law. Given the selection of “real risk of serious harm” as the notification trigger in the Privacy Alerts Bill, AISA would re-iterate the benefits of a review of the operation of the legislation. AISA in particular would be keen to engage with the OAIC or Attorney General’s Department in carrying out such a review.

• Penalties or sanctions for failure to notify: The survey results supported that in the view of AISA members any penalties should be more than nominal and should be relative to the severity of the breach (in terms of the type of information

compromised or the likely harm).

Although we note that “serious and repeated” offences may lead to the application of penalties, it would still be AISA’s view that penalties should apply in any case where there is a failure to report a data breach where there is a “real risk of serious harm.” Also, the penalty should discourage organisations from electing to pay a fine rather than protecting the data to prevent subsequent breaches.

• Inclusion of MDBN in Privacy Act: Although members did not necessarily oppose the inclusion of MDBN law in the Privacy Act 1988 (Cth), members were concerned about the application of those provisions to SMEs. Members were of the view that consideration should be given to the issues and challenges of compliance by SMEs (to the extent that they are covered by the Act).

(4)

Response to Privacy Act Amendment (Privacy Alerts) Bill 2013 (Cth)

In regard to specific provision of the Privacy Alerts Bill, in addition to the point already noted above, AISA is of the view that information on both the details of reported data breaches (including the source of the breach, the industry sector and number of individuals affected) plus individual case details should be made public. The OAIC should be obliged to publish or require the publication of both case details and statistics in an efficient, searchable public online register, online permanently.

General Discussion – PMC Cyber Security 2011 Submissions.

In addition to responding to the questions raised specifically in the Data Breach Notification Discussion Paper, AISA would also like to re-iterate a number of submissions included in the AISA response to the PMC Cyber Security discussion paper, which have some relevance to the issue of data breach notification.

In particular, we confirm the strong view of a number of AISA members that data breach notification by itself will not solve all the problems of inadequate information security that have already been referred to.

The submissions made in response to the PMC Cyber Security discussion paper (which were based on the responses to the AISA Survey 2011) included the following:

Regulation of Information Security Practices: Legislation should address the

adequate protection of all information, extending beyond the protection of personal information. Any information should be protected if that information could lead to a gain by deception (fraud), or loss/impact to the others.

Support of Standards Development: The Government should provide additional

resources for Standards Australia to participate in international efforts to develop better information security standards. Support of other de facto standards bodies should also be considered.

The ICT Industry lacks adequate information security Skills:

Security is often misunderstood by business, and is frequently left to technologists to deploy tactical solutions. Moreover, the security speciality is seen as a separate skillset and the majority of the ICT workforce doesn’t know enough about incorporating security into ICT life cycles, roles and responsibilities and linking business objectives to ICT operations. Security should be an integral part of all information systems procurement, design and development and not perceived purely

(5)

as a separate discipline. This is unlikely to happen until security is a part of the training for all ICT professionals, and endorsed by business management.

The Government should require all Universities and colleges to include and integrate security principals and skills in their IT courses; both within existing modules and as standalone electives.

AISA

The Australian Information Security Association (AISA) is an Australian representative industry body for the information security profession. Formed in 1999, AISA is focused on individual professional membership with a current membership of 1700 security specialists. AISA aims to foster and promote the development of information security professionals and the security of the ICT industry.

Our broad membership base consists of information security professionals from all

industries including education, finance, government, healthcare, manufacturing, mining, oil and gas, transportation, and utilities. Our members range from company directors and managers, lawyers, risk professionals, architects, highly skilled technical security specialists, professors and researchers.

On behalf of the Policy Committee

Benn Dullard National Director

Australian Information Security Association

Contacts and Further Information

Gary Gaskell

AISA Policy Committee Chair

[email protected]

Phone 0438 603 307 Benn Dullard

AISA National Director

[email protected] Ph. 0421 339 178

References

Download now ( PDF - 5 Page - 150.81 KB )

Related documents

Chapter 4: Pulse Width Modulation

Most PBASIC examples use a simple PAUSE 20 inside a loop with a PULSOUT to make the BASIC Stamp send control pulses that repeat at a rate in the 44 Hz neighborhood.. Servo

CORNEAL NERVES IN REFRACTIVE SURGERY AND DRY EYE

To my knowledge, I am the first to demonstrate that the degree of subbasal nerve plexus regeneration after PRK in human in vivo cornea positively correlates with restoration

Fiery Security White Paper Fiery System 10, Version 2.54

Jobs sent to the Hold Queue are held on the Fiery hard drive until the user submits the job for printing or deletes the job using a job management utility, such as the Fiery

National economic policy simulations with global interdependencies : a sensitivity analysis for Germany

A simple calculation shall help to give an intuitive understanding of the number of € +9.8 billion in imports in the stand-alone simulation. The im- port ratio of final demand

Kingwest Resources Ltd ASX: KWR. Open high-grade gold mineralisation at depth continues at Menzies. 12 February 2020

Kingwest Resources Limited (“Kingwest” or “KWR”) is pleased to confirm that high grade mineralisation has been proven to continue at the lowest levels of the Lady

DRAFT NOTTINGHAM UNIVERSITY HOSPITAL NHS TRUST QUALITY ASSURANCE COMMITTEE

Mr Riley attended the meeting to present the outcome of a parliamentary and health service ombudsman complaint about care in the HCOP service which had been partially upheld

Chapter 1. Mortality Rate in Myocardial Infarction after Treatment. Abstract. Background

In their study, which was performed to examine recent trends of patients that has myocardial infarction, with ST – segment elevation in a Massachusetts metropolitan area, McMams,

Information theoretic combination of pattern classifiers

In this paper, we propose a novel approach to tackle this issue. We develop an information theoretic framework that defines a new measure of the goodness of an ensemble of