SMEs face privacy burden with Federal Government moves towards mandatory notification of data breaches

Businesses will be required to notify customers and other third parties if the security of their personal information has been compromised, under the proposed mandatory notification scheme released by the Federal Government this week.

The government has decided to take action following a rise in personal information that is stored by businesses and a recent spate of inadvertent emails, websites accidentally opened to public viewing, and hacked databases.

The government’s discussion paper, which seeks submissions by November 23, considers whether Australia should introduce mandatory data breach notification laws.

The paper also considers what kinds of breaches should prompt notification, who should decide whether notification is necessary, what should be reported, and when and how notification should be enforced.

The paper notes a significant number of other countries have implemented some form of mandatory notification scheme, with most states in the United States having data breach laws and countries including Germany and Mexico having adopted data security breach notification obligations.

The Australian Law Reform Commission has previously argued for a mandatory regime which includes a civil penalty system to be enforced by the Privacy Commissioner.

Australian Privacy Commissioner Timothy Pilgrim stated that notifications give affected customers an opportunity to reduce the impact of a security breach by acting quickly and could also improve public confidence in companies that store personal information.

Cameron Abbott, partner at law firm Middletons, told SmartCompany the effects of mandatory notification in Australia could be far-reaching.

“There have certainly been some spectacularly large and public data breaches, which I think is raising the issue in the community’s consciousness; the Sony portal breach was very large-scale and very public,” he says.

“The aim of the discussion paper is to take what is an optional process, guidance the Privacy Commissioner has given as when there is a breach, and actually turn it into a compulsory step when the circumstances might cause significant harm to the people whose data has been exposed.”

Abbott says he thinks the proposal for mandatory disclosure will get “a fair amount of support”.

“Given that there is already guidance that recommends you should do those things, it is a little hard to argue against it,” he says.

“The reality is that if you are exposed and it is going to cause harm to the owners of that personal information then really you should tell them. It is not unreasonable.”

He warns mandatory notification laws could bring to light data breaches that otherwise may never have been disclosed, increasing the pressure on companies that collect, store, use or disclose personal information to ensure that it is adequately protected.

Abbott says businesses should be anticipating that they will be subject to a mandatory notification obligation if they are subject to the Privacy Act, which has a threshold of $3 million in turnover.

He also warns a mandatory disclosure regime is likely to hit SMEs particularly hard.

“Often SMEs have less rigorous security; so it means if they are subject to some sort of penetration attack that breaches that security the data will probably be accessed and it will not be as heavily encrypted as at some larger organisations,” he says.

“They will have to make those notifications and often businesses are reluctant to do this as it can spoil the good relationships they have with their customers, so many don’t like to notify and will find this a little painful.

“On the flipside, it is sometimes the larger companies that are the more attractive targets for more sophisticated hackers.”