The introduction of data breach notification laws will be a
significant impost on companies, but may be the only defence left
for people who value their privacy, writes Nick Abrahams.
The federal government has announced that, before the end of the
year, we will have mandatory data breach notification. This means
companies will be required to notify us whenever the information
they hold about us gets hacked or otherwise inappropriately
This will be a significant impost on companies in relation to
compliance costs and potential adverse reputational impact. For us
little people, it may be the only defence we have against the tidal
wave of big data analytics ripping away the last vestiges of our
privacy (or it may be just more annoying junk mail).
What it certainly means is that cyber risk should be a top three
issue for all board risk committees this year.
The concept of mandatory notification has been before our
Federal Parliament in one form or another for a few years now. It
has been standard order in 47 states in the US for almost a decade
and President Barack Obama has just announced a major new measure
designed to create a uniform breach notification law across the
country. There are notification laws in various parts of Europe and
It is inevitable that we will have mandatory notification. The
key issue will be how to ensure that the regime achieves its public
policy objectives being:
To encourage companies to better protect our data.
To maintain community confidence when transacting with
To protect us when our data goes awry by allowing us to take
action to mitigate possible harm from the disclosure.
Achieving these policy-driven outcomes will not be without its
A study at Carnegie Mellon University compared US states with
data breach notification to those that did not have such laws and
found that the notification laws were effective in reducing
identity theft only in the 12-18 months after their introduction.
After that, rates of identity theft returned to similar levels
across all states.
There is also the notification fatigue issue to deal with. A
Ponemon Institute survey of people who had received breach
notifications found that 39 per cent of those people thought the
notices were junk mail and 48 per cent thought the notice was
misleading or confusing.
Opponents of the idea argue that a notification obligation in
fact penalises those companies who diligently monitor their
networks and data.
This is because diligent companies will become aware of breaches
and will then be forced to notify, whereas those with more lax
arrangements would not become aware of the breaches and therefore
would not have to do any notifications.
The most critical aspect to get right will be the trigger for
the notification. It cannot be just any breach of privacy, as this
would result in excessive compliance costs and notifications. There
ought to be a threshold before notifications need to be issued,
such as where there is a real risk of harm to the individual if
they were not to be notified.
At present in Australia there is no law that requires companies
that have compromised their customers' data, whether by hacking
attack or otherwise, to notify the affected customers. The new law
will change that. Such public shaming will lead to significant
losses to organisations in terms of reputation and, as has been
seen in the United States, class action law suits.
In the digital age, confidentiality and trust are the new market
differentiators. These new laws will see the appointment of more
chief risk, trust and confidentiality officers as well as a
heightened focus on cyber security, especially the idea of
encrypting data at rest rather than just when in transit.
With more than 100 million data breach notices issued every year
in the US, it is questionable how effective the regime is over
there. Depending on how our government implements the regime, we
may need to expand the notice on the letterbox to "No Junk
Mail or Data Breach Notices Please".
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The legal rights and wrongs of taking photos can be confusing, so what does the law say about photos in a public place?
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).