[BreachExchange] Australia, New Zealand Still Mulling Data Breach Laws

[Audrey McNeil]

http://www.databreachtoday.com/australia-new-zealand-still-mulling-data-breach-laws-a-9134

Neither Australia nor New Zealand has laws requiring organizations to
notify people affected by data breaches, but officials in both countries
are reviewing proposals and plan to introduce related legislation.

Regulators in both countries now generally encourage organizations to
report breaches depending on the type of information released and the
potential impact. But what constitutes a serious breach could be open to
interpretation - a gap that both nations hope to close with new legislation.

New Zealand's Privacy Act

In 2011, New Zealand's Law Commission completed a five-year study of the
country's Privacy Act, which went into effect in 1993. The review was
launched over concerns and warnings that the law wasn't keeping up with the
pace of technology changes.

One of the commission's key recommendations is that people should be
notified of serious security breaches. The government went so far as to say
that the best course of action would be to repeal the existing Privacy Act
then re-enact it with various critical updates included.

In May 2014, then-Justice Minister Judith Collins said the government would
introduce a targeted technical consultation on proposals before a bill was
introduced to Parliament.

The proposals included requiring organizations to report data breaches to
the privacy commissioner and to notify individuals in what are considered
"serious" cases.

The mandatory reporting requirement would have two tiers. Under the first
tier, which covers less serious breaches, organizations would be required
to report "material" breaches, a calculation that takes into account the
information leaked, number of people affected and if the lapse is part of a
systemic problem.

A tier-two breach is more serious. In that case, organizations would have
to take reasonable steps to notify the commissioner if there is a real risk
of harm, such as loss, injury, significant humiliation or adverse effects
on rights or benefits.

Failing to notify the privacy commissioner of a data breach would trigger a
fine of up to NZ$10,000 ($6,750). Another proposal was to give the privacy
commissioner new powers, including the ability to issue compliance notices,
as well as stronger authority to investigate suspected privacy problems.

Two years later, however, there is still no new law on the books. But
current Justice Minister Amy Adams said earlier this month that she intends
to implement the reforms identified by the Law Commission and "modernize"
the Privacy Act.

"I intend to release an exposure draft of the new Privacy Bill before the
end of 2016 for targeted consultation," she said in a speech to the
Wellington Privacy Forum on May 11. "This will provide an opportunity for
privacy experts to comment on whether the draft bill implements the
government's privacy reforms in a way that is clear, accessible and
user-friendly." She plans to then introduce the bill in New Zealand's
Parliament next year.

"These reforms will incentivize private entities and public sector agencies
to value early identification and prevention of privacy risks that could
cause harm," she said.

Australian Information Commissioner Guidelines

In Australia, there has been significant public support for some type of
data breach notification requirement, according to a recent analysis by the
law firm Corrs Chambers Westgarth. The Labor government introduced draft
bills in 2013 and 2014, but a law never made it on the books.

Governments are generally reluctant to impose new regulations on
businesses, says attorney Gordon Hughes, a partner with the Melbourne-based
law firm Davies Collison Cave, who specializes in technology and data
protection.

"Certainly there is resistance from the commercial sector to any form of
significant mandatory data breach reporting obligation," Hughes tells
Information Security Media Group. "A bank doesn't want to advertise to the
world that their information has been compromised."

Currently, the Office of the Australian Information Commissioner recommends
that breached organizations inform both the OAIC and those affected by a
breach if there is a "serious risk of harm." The OAIC says organizations
should consider what kind of personal information was breached, the cause
and extent of the breach, as well as what harm individuals could
experience, when assessing whether it's serious.

The OAIC's guidelines note, for example, that Australian Medicare numbers,
driver's license details, health or financial information such as payment
card numbers "might pose a greater risk of harm to an individual than their
name or address."

It adds: "A combination of personal information typically creates a greater
risk of harm than a single piece of personal information."

But while those might be the OAIC's recommendations, under current
Australian law, organizations are under no obligation to notify consumers
or the OAIC if they've been breached.

Australia: Support for Breach Legislation

But there's support from Australia's ruling Liberal Party to push ahead. In
March, the government concluded a public consultation on the Privacy
Amendment (Notification of Serious Data Breaches) Bill 2015, which would
amend the country's Privacy Act of 1988 to incorporate a mandatory
reporting requirement.

The notification requirement would apply to federal government agencies and
private organizations with an annual turnover exceeding AU$3 million ($2.2
million). It also applies to foreign companies that deal directly with
Australian consumers or process information on behalf of Australian
businesses.

"The implications for Australian businesses (and foreign businesses
conducting business in Australia) are likely to be significant and
far-reaching," write Philip Cantania, partner, and Tim Lee, senior
associate, both of Melbourne-based law firm Corrs Chambers Westgarth.
"Australian companies that use off-shore data processing services are
particularly likely to be impacted."

Serious or repeated breaches could be subject to civil penalties up to
AU$1.7 million ($1.2 million). Organizations would have 30 days to
determine if a breach meets the reporting threshold.

Experts expect to see no action on the legislation until after Australia
holds a federal election on July 2. Hughes said the issue of data
protection hasn't even come up in current campaigns.

"Privacy is not a big vote winner," he said. "People just don't get excited
about it."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160526/7f05a166/attachment.html>