[BreachExchange] Australian industry lashes out at data breach notification scheme

[Audrey McNeil]

http://www.itnews.com.au/news/australian-industry-lashes-out-at-data-breach-notification-scheme-417331

Australian businesses say they are not sold on the government's proposed
mandatory data breach notification scheme, with some even going so far as
to call for it to be abandoned.

Late last year the government released an exposure draft of its
long-awaited bill for the scheme, outlining what it considers a serious
breach and the steps an organisation must take in response to one.

It defines a serious breach as unauthorised access to, disclosure or loss
of customer information which generates a real risk of serious harm to
individuals.

After an entity is aware or "ought to have been aware" a serious breach has
occured, it must notify customers, the Privacy Commissioner, and
potentially the media "as soon as practicable".

In cases where an entity suspects a breach has occured, it will have 30
days to assess whether it needs to make notification.

However, Australia's biggest industry groups are calling for changes to be
made to avoid "notification fatigue" and to make their obligations clearer.

The Australian Industry Group - which represents 60,000 business across a
range of sectors - said it couldn't understand why such a scheme was
required at all.

"Ai Group understands the reasons why the bill has been drafted but we are
not convinced of the need for the bill," it said.

It argued [pdf] there were already privacy protections in place to deal
with data breaches, and businesses would face an "unreasonable compliance
burden" and difficult implementation of the scheme should it go ahead.

The Australian Retail Credit Association (ARCA) similarly argued the bill
needed to be heavily edited if it was to progress any further.

It outlined [pdf] a laundry list of issues, covering the 30-day assessment
period, the ability for the Privacy Commissioner to direct an entity to
make notification of a breach, and the inclusion of "psychological and
emotional" in the definition of what constitutes "harm", among others.

Should have known

Ai Group stood on its own in outright questioning the need for the bill,
but echoed the calls of many others in calling for the removal of the
concept that an entity would still be subject to disclosure obligations if
it 'ought to reasonably be aware' that a serious breach had occured.

The argument was similarly made by Telstra, PriceWaterhouseCoopers, the
ABC, the Law Council of Australia, the Insurance Council of Australia
[pdf], and the Australian Retail Credit Association.

Telstra said while it assumed the language had been included to address
situations where an entity was "wilfully blind" to a serious data breach,
it could result in organisations being unfairly targeted for not notifying
early enough.

"Security incidents and complaints are generally raised within a large
organisation such as ours through a number of channels," Telstra said [pdf].

"It may not be apparent that there is a serious data breach requiring
notification until issues are ventilated either by multiple persons or via
multiple channels."

PwC said [pdf] its research had found that it takes an average of 243 days
between when an entity is hacked and when it discovered the breach, and
called on the OAIC to make clearer the circumstances under which it would
consider an organisation should have been aware of a breach.

"... an entity may not become aware of a serious data breach until after
the hacked information has been unlawfully used or disclosed... This may be
a significant time after the serious data breach occurred," the ABC [pdf]
agreed, calling for the removal of the 'ought to have been aware' phrase.

The Law Council argued [pdf] the language was too broad and uncertain and
pushed for its removal from the bill, as did ARCA, which questioned how an
entity can be required to notify of a breach if it is not aware one has
occured.

What is harm?

Issues were also raised with how an organisation would be expected to
assess the harm to an individual in a data breach.

According to PayPal, the legislation's current scope of "harm" - which
includes physical, psychological, economic and reputational - is "overly
broad" and requires entities to assess characteristics of individuals
without the requisite expertise to do so.

"While PayPal understands the intention of the government is to require
organisations to give consideration to the widest possible harm that may
result from a data breach, PayPal is concerned that such a breadth of harm
imposes an unmanageable risk upon entities such that most if not all data
breaches will require notification," it said [pdf]

The Communications Alliance [pdf] "strongly objects" to this "incredibly
large scope of harm" and called for the removal of the terms 'emotional'
and 'psychological'. The ABC similarly argued the definition of "harm"
should be limited to physical and financial harm.

According to PwC, entities will struggle to assess the "seriousness" of
harm given individuals have varying thresholds for what they consider
harmful - an argument backed by ARCA.

They will also find it difficult to capture and measure what constitues
"psychological, emotional or reputational harm", the firm said.

It suggested introducing a "reasonable person" test to remove the
subjectivity from the obligations.

The Insurance Council agreed it would be "preferable" to establish an
objective standard of assessment, but nonetheless argued for the removal of
the "subjective" terminology.

The role of service providers

Under the draft bill, the entity obliged to notify authorities of a breach
is that which holds the data that has been breached.

However, the likes of Telstra, Microsoft, PwC, the AIIA and ARCA raised
concerns about the scenario of a breach where more than one entity could be
considered to "hold" the relevant information.

"In a practical sense if a data breach is caused by a contractor in the
possession of an entity’s data but that data is in the control of the
entity there may be conflicting requirements to notify," Telstra said,
arguing this could result in multiple notifications from separate sources
and therefore confusion for customers.

"It is likely that affected individuals ... would not be aware that the
notifications that they receive relate to the same data breach," Comms
Alliance said.

Microsoft - which lent its support to the bill - said [pdf] a cloud service
provider like itself would be unlikely to have the ability to communicate
with individuals.

"Many cloud contracts (including Microsoft’s) specifically limit the
ability of the cloud service provider to access customer data; and
therefore also limit the ability of the provider to make an accurate
determination of whether or not serious harm has occurred," it said.

The Department of Social Services [pdf] echoed similar concerns within
government, in instances where core systems and databases are managed by
other government agencies.

Microsoft, Telstra, the Comms Alliance, PwC and the AIIA said the
responsibility for notification should be on the entity that owns the
customer relationship.

Does the OAIC even need to be involved?

While many of those submitting their views on the proposed bill called on
the government to increase its funding to the severely under-resourced OAIC
to ensure proper administration of the scheme, the federal Finance
department questioned whether the office even needed to be immediately
notified of a breach.

The department said [pdf] while it agreed there was a "strong rationale" to
notify individuals in cases of a breach, it didn't see the need for the
requirement to notify the OAIC straight away in all cases of a serious data
breach.

It gave the example of a payslip for an individual being sent to the wrong
person, which would likely be considered a serious breach under the bill,
but argued that notifying the OAIC in this instance would lead to
"notification fatigue".

"It is not clear what purpose the notification to the OAIC is in these
cases. Very little information has been provided on why the OAIC wants this
information and what the OAIC will do with the information once it is
received," Finance said.

It suggested a two-tier system where notification to the OAIC is only
required in cases where a breach affects more than 500 individuals, as seen
in California in the US.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160323/932f20ee/attachment.html>