A new government could rethink data breach law

The data breach notification Bill’s failure to pass the Senate at last month’s final regularly scheduled sitting day before the next election could provide an opportunity to rethink some perceived weaknesses in the legislation, analysts believe.

Prime Minister Kevin Rudd is yet to formally set an election date, so there might still be time to send the Bill through before the next term.

But assuming the election is not delayed, a Coalition government or a Labor government with a Coalition-controlled Senate may not be willing to pass the amendment as it stands.

While the Bill was not debated during the final parliamentary session, the Senate Committee for Legal Affairs’ report into the proposed amendments included a series of concerns from Coalition senators.

Issues included the lack of due process afforded the bill - including the time spent soliciting input from stakeholders, industry’s worries about regulatory overload and vague definitions of the terms “serious breach” and “serious harm”. But the report did ultimately recommend that the Bill be passed.

Telecom analyst Paul Budde believes that should the Coalition gain power before the amendment can go through, it will likely be scrapped in its present form.

“Having said that, there is no doubt that the issue will return to parliament as it is one of the most hottest topics amongst government around the world,” he said.

David Vaile, executive director of UNSW’s Law and Policy Centre, would disagree. He told Fairfax Media that only the Labor leadership spill prevented the amendment from passing. He expects it to eventually be passed regardless of which party wins power, but acknowledged there is room for improvement in the wording.

IBRS advisor James Turner said if a Coalition government did decide to go back to the drawing board, there are certain key points that require close consideration.

“When it comes to digital information, no organisation is invulnerable. The recent leak from the NSA has proven this point. So, we’re going to punish organisations for not being invulnerable while they operate in an environment where it is impossible to be invulnerable.”

Given that it is impossible to fully secure against the risk of data breach, the question becomes how much IT security is reasonable, he said.

“This is a question that a large portion of the Australian IT security community struggle with daily. What’s missing is a test of reasonableness. At what point is an organisation spending too much on IT security?”

Another factor that may have to be reconsidered is the timing, Turner said. The original plan was to have data breach notification laws in place by March 2014.

“The challenge for this is that many organisations are just not geared up for this. In an ideal world, they would be. But they’re not. To start handing out fines by April of next year for poorly defined data breaches seems shortsighted,” Turner said.

“My hope is that the next government, coalition or Labor, will take a little more time to think about these core points.”

Image courtesy of Chensiyuan