Australian businesses turning over more than $3 million a year will be forced to notify customers of serious data breaches if the federal government successfully passes its proposed data breach legislation.
As it currently stands, Australian businesses do not have to notify customers or the privacy watchdog of data breaches, however, they may do so voluntarily.
During the 2014-15 financial year the Office of the Australian Information Commissioner received 110 voluntary data breach notifications from government organisations and the private sector, up from 67 notifications the previous year.
Under the government’s proposed legislation, businesses will be forced to notify the Australian Information Commissioner and affected individuals if there is a “serious data breach”.
The draft legislation defines a serious data breach as one where there is a “real risk of serious harm”, such as a cybercriminal gaining access to an individual’s personal information or tax file number.
A number of Australian retailers were subject to security incidents last year. In June, fashion retailer Sussan suspended its website after a security breach was uncovered.
David Jones, Kmart and Catch of the Day also suffered security breaches last year.
Michael McKinnon, security awareness director at AVG Technologies, told SmartCompany this morning a major issue for the security industry is not knowing how many businesses are being compromised due to a lack of mandatory reporting laws.
“Cybercriminals are often getting away with crimes that are unreported,” McKinnon says. “The awareness level in the community that should be there isn’t there. There is a strong argument that this legislation will assist in this endeavour in that it will help bring those crimes to light.”
We would then hope that, overall, it would have a net impact on improving things for our country as whole.”
The government has indicated it wants to streamline the mandatory reporting process for businesses as much as possible to reduce the impact of additional regulatory burdens.
However, McKinnon points out that, when it comes to protecting information, the vast majority of companies would already be making significant investments in terms of time and resources.
“The real wake-up call here for a lot of online retailers is going to be more around making sure that those security programs are in place to protect their information as best as possible,” he says.
“If we look at the recent [data] compromises, many of them could have been prevented. There are many cases when data breaches and compromises are the result of poor business practices rather than technological flaws.”
The government is seeking feedback on the proposed data breach legislation, with the deadline for submissions falling on March 4.