Organisations will struggle to comply with federal government’s mandatory data breach notification proposals unless guidance and processes are created to help them determine if they need to report an incident, according to an IT security expert.
Ewen Ferguson, managing director at global consulting firm, Protiviti, said detailed guidance and consultation with the Privacy Commissioner, Timothy Pilgrim, needs to be introduced to prevent compliance confusion.
In its submission to the government’s consultation on the draft Bill, the consultancy observed that in the European Union and United States, an entity’s notification obligations are clearly defined. But Australia’s draft legislation introduces sketchier concepts that could require organisations to make subjective judgement calls.
Ferguson claimed it will be difficult for entities to judge whether certain thresholds are met before their notification obligation is trigged. These include whether there are ‘reasonable grounds’ to believe a serious data breach has occurred resulting in a real risk of serious harm to affected individuals.
“There’s a wide spectrum of circumstances in which a data breach can occur, ranging from an employee losing a laptop containing a limited amount of non-financial personal information, to a large-scale malicious theft of credit card details,” Ferguson said.
“There will always be a multitude of factors at play and the outcome will not always be straightforward.
“What’s more, in many cases it will not be clear who has acquired the data, and how or for what purposes the data was compromised, making it difficult for companies to gauge the severity and impact of the breach,” he said.
He said that because the draft laws establish a ‘self-assessment’ regime whenever the facts are borderline or where a case for non-disclosure is at least arguable, it is more likely that organisations will decide not to notify to avoid the reputational damage of public scrutiny.
“The danger of a regime that encourages entities to ‘err on the side of non-disclosure’ is that it may not adequately protect the individuals affected by data breaches, as potentially serious breaches may go unreported,” he said.
To address these concerns, Protiviti recommended that the Privacy Commissioner issue detailed criteria and case study-style guidelines on how self-assessment might operate in practice.
“Secondly, there must be an avenue for entities to approach the Commissioner’s office for prompt, in-confidence advice on whether their notification obligations apply in cases where the outcome is unclear.
This may be established as an administrative process by the Commissioner’s Office or formally in legislation similar to the way federal tax laws allows taxpayers to apply to the Australian Taxation Office for a binding ‘ruling’ on how the tax law applies to their circumstances,” he said.