Data protection laws on ice

Von Michael Crawford

Australia will not follow the lead of the US by introducing stiffer data protection laws to safeguard sensitive information held by companies despite compelling recent evidence of a thriving black market trade in the personal data of Australians.

In December, the US state of New York will bring into force strict new laws governing data security breaches. The laws will directly force state-based and interstate companies to disclose virtually all data breaches, no matter how small the companies deem the risk to consumers - and will usurp current California breach notification laws as a national benchmark.

However, despite two high-profile cases that have seen thousands of Australians forced to replace personal items ranging from credit cards to passports, Attorney General Philip Ruddock is maintaining the existing Privacy Act, which carries no criminal sanctions, is strong enough to compel companies to keep their data safe from theft.

According to information obtained by Computerworld from the office of the Attorney General, no new laws will be considered in Australia to force companies to disclose all details of a breach of data security that could expose personal information to either the general or criminal populations.

A spokesperson for Attorney General Phillip Ruddock said the Privacy Act (1998) remained appropriate because it regulated the collection of personal information by Australian public and private organizations.

"The act imposes obligations on agencies and organizations to store the information securely, to limit access and to limit uses and disclosures," the spokesperson said.

Australian privacy laws do not require mandatory reporting of security breaches of personal information, and Australian Privacy Commissioner Karen Curtis said the concept of mandatory reporting was not raised in a recent review of the private sector provisions of the Privacy Act.

Rather, Curtis has recommended a wider review of the Privacy Act which will look at privacy risks posed by technological change saying a Senate Inquiry into the Privacy Act, released on June 23 offers "a forum for discussing possible solutions such as mandatory reporting of security breaches".

Despite the obvious loophole that allows Australian companies to legally hide their exposure to data theft, Curtis says companies should do the right thing and come clean to customers in the event they are compromised.

"In the event of a security breach which involves the disclosure of personal information, it would be good privacy practice to tell affected individuals in a timely manner so that [they] can take any necessary steps to protect their personal information," she said.

Security analysts are not buying the voluntary disclosure argument. Frost & Sullivan security analyst, James Turner, said Australia urgently needs legislation to protect consumer data that will scare company directors out of complacency by way of stiff penalties.

"Many companies in Australia are playing Russian roulette with their customers" data. If the gun had all the chambers loaded and it was pointed at the head of the CEO, we"d see pretty fast changes in the way companies protect our personal data," Turner said.

"If a company based in Australia had its database of customers" personal data breached, and some of these customers were based in the US, it would seem extraordinary if the US did not insist on the breach being disclosed to those affected."

Turner said in such an event, Australian regulators would have to "take a good look at why we were telling US citizens but not our own", and such a scenario will drive similar laws here.

Marked cards

* US transaction processing company CardSystems Solutions exposed private details of 40 million credit card users worldwide after being hacked in July 2005. * 130,000 Australian credit card holders affected. * ANZ forced to re-issue 11,000 credit cards, Westpac 3000, CBA 1000, NAB 500. * 400 ANZ customers actually compromised. * Visa and American Express sever ties with CardSystems, effective October 31, 2005.

Called to account

* Four Corners program buys stolen Australian customer data for Switch Mobile customers in India. * Drivers licences, passport numbers and birth certificate details compromised. * Switch Mobile offers to pay costs for customers to replace identity documents * Switch Mobile severs ties with offshore provider 1TouchSolutions