'Reasonable steps' key to data breach law impact

By Darren Pauli on May 15, 2013 8:16 AM
Filed under Security

Laws may mean little for security-savvy organisations.

Security and technology heads at top Australian organisations say the impact of a mandatory data breach reporting scheme on businesses will largely depend on what the Federal Government determines are 'reasonable' security controls.

Plans for a data breach notification scheme were shared with a small number of stakeholders as the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013, obtained by SC.

The scheme was recommended by the Australian Law Reform Commission in 2008 and would force organisations to notify the Federal Privacy Commissioner, affected consumers and on occasion the media when data breaches occur.

Under the scheme the Federal Privacy Commissioner would consider whether an affected organisation has taken 'reasonable steps' to protect its customer data in deciding whether to pursue fines or enforce a public notification of a breach.

Security and technology heads speaking at a SC and ITnews roundtable on the impact data breach notification said details of 'reasonable steps' were critical to understand the impact the scheme could have on Australian businesses.

The scheme for organisations with strong security serve only as an extension of existing controls.

“We are a customer-facing organisation and already have processes in place to communicate with customers,” Vodafone Australia head of information security Eyman Ahmed Ahmed said at the roundtable in Sydney.

“I think it is worth asking, 'what is the scope of ‘reasonable’? … Is the scope that my SIEM (Security Information and Event Management) deployment is built against ‘reasonable’ or do I have to extend it to every critical system?"

Security managers were concerned that a data breach notification scheme could also affect outsourcing contracts.

Under the exposure draft, organisations could be liable for data breaches at their outsource providers if the Privacy Commissioner found they did not ensure reasonable security controls were in place prior to contracts being signed.

Organisations may be able to minimise the risk of falling foul of any schemes by ensuring proper documentation occurs, Sydney University information security manager Daniel Grzelak suggested.

“Documenting that you’ve taken reasonable steps, rather than investing in prescriptive technologies” could be the way to achieving compliance with data breach notification laws.

“The definition of ‘reasonable’ is up in the air, so perhaps the only way to say you’ve taken reasonable steps is in your documentation.”

Follow us on Facebook and Twitter

Copyright © SC Magazine, Australia


'Reasonable steps' key to data breach law impact
Top Stories
Kloud wins 1,700-seat Windows 10 deal
Office 365 integrator expands into end-user OS for Visy spin-off.
EMC to bring Virtustream cloud to Australia
[Exclusive] New cloud storage "not competing with Amazon S3".
Readify's IP Factory creates $1 million revenue stream
'Why leave gold shavings on the floor?'
Sign up to receive CRN email bulletins
Meeting which tech founder would leave you most starstruck?

Latest Comments
CRN Magazine

Issue: 347 | March 2016

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.