'Reasonable steps' key to data breach law impact

By Darren Pauli on May 15, 2013 8:16 AM
Filed under Security

Laws may mean little for security-savvy organisations.

Security and technology heads at top Australian organisations say the impact of a mandatory data breach reporting scheme on businesses will largely depend on what the Federal Government determines are 'reasonable' security controls.

Plans for a data breach notification scheme were shared with a small number of stakeholders as the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013, obtained by SC.

The scheme was recommended by the Australian Law Reform Commission in 2008 and would force organisations to notify the Federal Privacy Commissioner, affected consumers and on occasion the media when data breaches occur.

Under the scheme the Federal Privacy Commissioner would consider whether an affected organisation has taken 'reasonable steps' to protect its customer data in deciding whether to pursue fines or enforce a public notification of a breach.

Security and technology heads speaking at a SC and ITnews roundtable on the impact data breach notification said details of 'reasonable steps' were critical to understand the impact the scheme could have on Australian businesses.

The scheme for organisations with strong security serve only as an extension of existing controls.

“We are a customer-facing organisation and already have processes in place to communicate with customers,” Vodafone Australia head of information security Eyman Ahmed Ahmed said at the roundtable in Sydney.

“I think it is worth asking, 'what is the scope of ‘reasonable’? … Is the scope that my SIEM (Security Information and Event Management) deployment is built against ‘reasonable’ or do I have to extend it to every critical system?"

Security managers were concerned that a data breach notification scheme could also affect outsourcing contracts.

Under the exposure draft, organisations could be liable for data breaches at their outsource providers if the Privacy Commissioner found they did not ensure reasonable security controls were in place prior to contracts being signed.

Organisations may be able to minimise the risk of falling foul of any schemes by ensuring proper documentation occurs, Sydney University information security manager Daniel Grzelak suggested.

“Documenting that you’ve taken reasonable steps, rather than investing in prescriptive technologies” could be the way to achieving compliance with data breach notification laws.

“The definition of ‘reasonable’ is up in the air, so perhaps the only way to say you’ve taken reasonable steps is in your documentation.”

 
Follow us on Facebook and Twitter
 

Copyright © SC Magazine, Australia

'Reasonable steps' key to data breach law impact
 
 
 
 
 
Top Stories
HubOne kills the IT guy with $200 Office 365, Xero bundle
All-in-one cloud package for accounting firms.
 
Anittel still in the red but stockpiling cash
Slow Cisco rollout not helping.
 
Lookout Amazon: IBM, Microsoft notch big cloud gains
AWS way ahead, but finally has competition.
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Polls
Which mobile device couldn't you live without?


Latest Comments
CRN Magazine

Issue: 329 | July 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.