The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Down Under, Lawmakers Ponder Pain and Suffering from Breaches



Should businesses be liable for the pain and suffering experienced by customers as the result of a data breach? Lawmakers in Australia say “yes.”

Should consumers affected by the theft or loss of their personal data be able to receive compensation for the pain and suffering it caused them? Lawmakers in Australia think the answer is “yes” and have proposed new laws that would make breached firms responsible for paying damages.

The proposed legislation was introduced in 2015. It would amend Australia’s Privacy Act of 1988 with a particular focus on data privacy. The amendment would replace voluntary guidelines and, for the first time, establish a federal data breach notification law for Australia (I know – crazy, right?). It would set a uniform standard for Australian businesses and other organizations when it comes to data breach notification.

But business groups are up in arms about provisions of the law. Among them: the prospect of civil penalties for firms that experience breaches that cause “serious harm” to consumers, including “physical, psychological, emotional, economic and financial harm, as well as harm to reputation.”

The goal of the legislation is to “permit the use of less severe sanctions before elevating to a civil penalty,” according to an explanatory brief published by the Australian government. Public or personal apologies, compensation payments or enforceable undertakings could be used in lieu of civil penalties, which would “only be applicable where there has been a serious or repeated non-compliance with mandatory notification requirements,” the document said.

The proposed legislation, which will be re-considered in 2016, builds on data privacy laws enacted in most U.S. States and, in many ways, improves them, according to commentary offered by the Australian Cyberspace Law and Policy Community. Among other things, the proposed legislation is specific about the content that should be included in a breach notification and sets a bar for “harm” to reduce the likelihood of excessive breach notifications that can overwhelm consumers and create ‘notification fatigue,’ the group noted.

Still, the business community in Australia is up in arms. The Australian Chamber of Commerce warned that the law, as written, is too vague and will be difficult and expensive to enforce. Comments by the Australian Association for Data Driven Marketing and Advertising (ADMA) questioned whether a federal law is even necessary and took aim at the definition of a “serious data breach.” “Although the definitions are drawn from the current voluntary regime, enshrining such vague definitions in legislation will only serve to drive business to adopt an overly cautious approach to reporting which in turn is likely to result in notification fatigue,” ADMA said. More regulations will be mean a higher cost of doing business, which will be passed to consumers, ADMA argued.

And, to be fair, even supporters of the law note that it has shortcomings. The Cyberspace Law and Policy Community response criticizes the proposed legislation for being too vague about what a breached entity’s obligations are and leaving it largely to breached firms to determine the level of “harm” in a given incident.

The notion of “harm” is one that is also working its way through U.S. courts, where 46 states, the District of Columbia and three U.S. territories have passed separate data breach notification laws. As this blog has reported, U.S. courts have issued conflicting rulings on whether consumers whose data has been stolen or leaked from breached firms have suffered a “harm” that gives them standing to sue (for example in class action suits). However, in recent months breached firms like Home Depot have opted to settle class action suits rather than push the idea that their customers suffered no harm from the theft of their financial data. And, in at least some recent cases, courts have shown a willingness to consider the possibility that data breaches may hold some “future risk” akin to environmental poisoning that may not be present at the time of the breach.

It remains to be seen whether the proposed Australian legislation will become law. Meanwhile, in the U.S. the absence of a federal standard for what constitutes a “breach,” whether breaches constitute “harm” to the public or what companies are required to disclose and when is likely to leave consumers with little in the way of concrete legal protections and guarantees.

Paul Roberts

WHITEPAPERS

The Incident Responder's Field Guide

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.