Wednesday, December 09, 2015

It Is Not Before Time We Are Seeing This Come In. All Data Breaches Should Be Notified To All Those Affected.

This news appeared late last week. First here:

Government reveals proposed data breach notification scheme

Attorney-General’s Department launches public consultation
The government has released the long-awaited exposure draft of legislation to create a mandatory data breach notification scheme.
The introduction of a data breach notification regime formed part of the government’s response to the report of the parliamentary inquiry into the data retention.
The report of that inquiry had recommended the creation of such a scheme.
The government has lived up to its commitment of a public consolation on the scheme. The Attorney-General’s Department is accepting submissions on the exposure draft until 4 March next year.
The scheme as currently drafted would oblige businesses to report a “serious data breach” to the Australian Information Commissioner and notify individuals whose data is affected by a breach.
A “serious breach” involves personal information, credit reporting information, or tax file information being subject to unauthorised access or disclosure and putting those individuals affected at “real risk of serious harm”.
Whether an individual was at risk of “serious harm” would depend on a number of factors, such as whether the information is encrypted (and how hard that encryption would be to break) and the sensitivity of the information.
Lots more here:
and also here:

Government unveils data breach notification bill

Gives industry until March next year to have input.

By Allie Coyne
Dec 3 2015 5:18PM
The government has published an exposure draft of its long-awaited bill for mandatory data breach notifications, specifying what it considers to be a serious breach and how organisations will need to respond.
The exposure draft, which is open for consultation until March 4 next year, comes as the government failed to deliver on its promise to have a scheme up and running by the end of this year.
The bill runs along almost identical lines to the Privacy Alerts bill introduced by Labor in 2013, and again last year. It is understood to have bipartisan support.
It outlines what the government considers to be a serious breach and details the steps an organisation must take to address such an incident.
A serious breach, under the bill, occurs when there is unauthorised access to, disclosure or loss of customer information held by an entity, which as a result generates a real risk of serious harm to individuals involved.
Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information.
An entity must notify customers, the Privacy Commissioner and potentially the media "as soon as practicable after it is aware" or has reasonable grounds to believe a serious data breach has occurred.
More here:
and lastly here - with a lot of external comments:

Delayed Australian data breach notification bill lands

Date December 4, 2015 - 3:26PM

Ben Grubb

Technology editor

Australians will be informed of certain breaches of their personal information under new laws being proposed by the Turnbull government, but only if the company or organisation breached turns over $3 million in revenue a year.
The Attorney-General's Department released on Thursday an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, which will require entities to disclose serious breaches of peoples' information.
The government was meant to introduce the bill into parliament before the end of the year but left it until the last sitting day of the year to release an exposure draft before its likely introduction into parliament next year.
If passed, the bill will require companies to disclose a breach within 30 days if it concerns personal information and "there is a real risk of serious harm to any of the individuals" to whom the information relates.
At present, companies, federal government agencies and various other Australian organisations are not required to disclose breaches by law. Nothing stops them, however, from voluntarily disclosing a breach.
Vice chair of the the Australian Privacy Foundation, David Vaile, said that the $3 million threshold of compliance — something that has existed in the Privacy Act for some time — was "a potential problem".
"A backyard data-munging operation can now cause as much damage, and release as much data (but may be less scrupulous or well defended) than any big bank, telco or government agency," he said.
Lots of other comments here:
There is a request for Submissions which concludes March 4 next year.
My simple view is that the opening position is that anyone who chooses to collect personal information from you should let you know if they let it loose to anyone you have not authorised to have access.
What do others think?

No comments: