[box border=”full”]The backlash by industry groups against long-overdue data breach reporting laws would be worrying if it wasn’t so predictable.[/box]
If we are to believe industry lobby groups like the Association for Data-driven Marketing and Advertising (ADMA – formerly known as the Australian Direct Marketing Association), the government’s proposed laws to make organisations notify consumers of breaches of their personal privacy would be a jobs killer and an unnecessary burden on business.
This is an argument aimed at further delaying a bill already five years in the making that would do no more than see businesses held accountable for being careless with their customers’ personal information.
Similar arguments were raised in submissions to the Senate inquiry by representatives of the banking, telecommunications, insurance, finance and credit reporting industries. What all of these industries have in common is that they collect and use huge and ever-increasing amounts of personal information. They also have a vested interest in not being seen to have security problems, and their security practices and records are largely unknown to the public.
The proposed law would simply require organisations to notify their customers if someone gains unauthorised access to personal information, or if the organisation loses or discloses such information (say, by leaving a USB stick with the information on a train). There are already laws against gaining unauthorised access to information, and organisations are required to protect personal information under the Privacy Act, but this law would for the first time ensure that organisations are required to tell their customers when something goes wrong.
The point of this law is to protect individuals because business has shown through numerous high-profile breaches that it won’t take the necessary care with personal data unless compelled.
The notifications would be a clear benefit to all Australians – both by providing consumers with information about organisations with poor data breach histories and by providing an incentive for organisations to improve their data handling practices.
By helping to build consumer trust, the notifications would bring benefits to both business and the community.
Arguments by industry groups that the law is being rushed through with no evidence of widespread breaches are misleading at best. The ADMA even recommended in its submission to the recent Senate inquiry that the proposal be sent to the Australian Law Reform Commission for consideration. But this requirement had already been considered and recommended by the Commission back in 2008.
The claim by ADMA that there is no evidence of widespread breaches is easy to make while they attempt to block a law that would provide exactly that evidence. As it stands, the only evidence the public sees of these breaches is what businesses want us to see, or when the media finds out about a breach and alerts the public. It’s not exactly conducive to evidence-based policy.
One criticism of the proposed bill has been vagueness. The breach must present “a real risk of serious harm” but the bill doesn’t provide a clear definition of either “real risk” or ‘”serious harm”. A “real risk” is defined as a risk that is “not remote”. But such language is a normal part of much legislation today and ensures that courts are able to enforce the spirit of the law and avoid getting caught up in legal hair-splitting.
Indeed, the vagueness in the bill is likely to be used by businesses to avoid reporting as often as possible. ADMA also misrepresents the way the bill would operate in regard to this test. The bill does not say “Report your breaches, and we will tell you if they are serious or not” as ADMA claims. The bill simply requires businesses to make a judgement of whether the breach represents a real risk of serious harm or not, and to report it if it does. This same test is in the Privacy Commissioner’s guideline – a voluntary guideline that’s been around for several years and represents best practice – which ADMA notes is clear and comprehensive.
ADMA claims that businesses “are often the victims” of these breaches, even though businesses don’t have their own personal information – a business can be the victim of a computer attack, but it is individuals who are the victims of personal information breaches.
It has taken five years for this bill to emerge following the review of Australia’s privacy laws, and having missed the Senate in June it may take even longer to pass. Let’s not allow vested interests to further delay an important protection that is critical in a digital world.
This opinion piece by ACCAN CEO Teresa Corbin was first published on the Sydney Morning Herald on 27 July 2013.
It was written in reply to ADMA CEO Jodie Sangster’s opinion piece published on 19 July 2013.