MY SAY: Handling data breaches can prove a minefield
THE Federal Government recently announced its intention to legislate for a serious data breach notification scheme.
Unlike other government-imposed interventions on our lives, you would think making organisations fess up to the loss of our personal information is a good thing.
Heaven knows the standards of response today are as diverse as the reasons behind the breaches themselves and a good dose of guidance on response practice has to be beneficial.
It wasn't that long ago I was calling for more teeth for our privacy tiger based on some recent data breach response debacles. But there is much more to this topic than meets the eye.
Data breaches can be online or physical. The more spectacular ones tend to involve a hacker, a vulnerable large dataset, a journalist on speed dial and a well-known company or government agency - Sony Pictures, Ashley Madison, David Jones to name a few.
However, breaches can also involve the physical loss of files, inappropriate destruction and disposal of hard drives - such as those found in photocopiers - and even stuffing up your intended email recipient address and sending personal information to the wrong person.
Several parts of the United States have a data breach notification regime.
This legislation has been tinkered with ever since its introduction over a decade ago. The reason is a lack of clear understanding of its intended purpose and outcome.
Notifying individuals impacted by a breach is only half the story. Take last week's latest breach involving customers of a financier.
A very apologetic letter was received by a number of residents on the Coast stating what had occurred, how it occurred and what could be done to protect themselves.
The financier didn't make it public - their customers did.
The problem with this was the advice given to impacted customers on "where to go".
Customers were advised to report to ScamWatch and visit the Commonwealth Attorney-General's Department.
ScamWatch captures reports on scams and the department develops policy and drafts legislation. What victims of data breaches actually need is support to reduce harm, in most cases "serious harm" as outlined in the new draft legislation.
By the time my staff and I hear from them and offer support, you can imagine they are a little annoyed at taking the long route to get help.
I argue strongly that mandatory data breach notification also needs to have support alongside it - support that doesn't just come in the form of organising a credit report (which is free anyway).
We need to think through the "what happens next" question. Top of mind for victims of data breaches is knowledge about the risks of future mis-use and pragmatic support and what steps can be taken to mitigate the chances of something bad happening.
If you come under the Privacy Act provisions, you're likely to come under this new legislation when passed.
What can your company or agency do? Plan now for how you are going to respond. Remember the old adage - If you fail to plan you plan to fail.
Dr David Lacey is director of iDcare, Australia and New Zealand's National Identity Support Service and a Senior Research Fellow at the USC.