The Association for Data-driven Marketing and Advertising CEO Jodie Sangster is not convinced that there is a need for data breach notification legislation and this appears to be a common theme from business representatives.
In response to my earlier article calling for business to act immediately to improve customer information security Sangster wrote “seriously, why not let business get to grips with the new Privacy Act because that’s already complex enough? Let’s get that right and then we can look at what else needs to be done.”
There are several reasons why we cannot wait for business to “get to grips with the new Privacy Act” and it's vital that government act to pass the Privacy Alerts Bill 2013 in the first parliamentary sitting after the next election.
This bill was intended to introduce a regime for data breach reporting and support the Privacy Amendment (Enhancing Privacy Protection) Act 2012 which introduced a number of significant changes to the Privacy Act, including the updated Australian Privacy Principles.
Can we trust business to act in the best interest of consumers?
Sangster argues that the Privacy Commissioner is ill-equipped to handle the many thousands of data breach reports that the passage of the Privacy Alerts Bill 2013 would trigger. But fears of this deluge should be tempered by the fact in 2011 the Privacy Commissioner received 46 data breach reports under the current voluntary reporting regime.
That’s right, only 46 data breach notification reports received from businesses in the same year that it's estimated that they suffered 50,000 or more data breaches. The numbers just don't add up and neither does the assumption that the current guidelines on data breach notifications are working well.
What the numbers do show is the how consistently businesses are failing to report data breaches to the Privacy Commissioner and this doesn't reflect kindly on the existing voluntary reporting regime.
A new-look Labor may be making an effort to engage with the business community, however, many business leaders are pinning their hopes on the Coalition winning the next election. But will a Coalition win automatically relegate the proposed mandatory data breach to the back burner?
I am not sure businesses should bet the house on the Coalition risking a public backlash by shelving the Privacy Alerts Bill 2013 – which have been on the drawing boards since 2008 and is popular with voters.
As Sangster states: “I have written to the Leader of the Opposition in the Senate, the Hon Eric Abetz and to members of the Senate Legal and Constitutional Affairs Committee, to voice my concerns and I’ll be keeping a watching brief on it when Parliament resumes.”
The major concern is that the “Privacy Alerts Bill 2013 will have economic consequences for the country at a time of relative weakness in the wider economy. Business will be stifled and consumers will have to pay higher prices. It’s not a win-win.”
However, this equation isn't quite as straight forward as that. Improved security of consumer information will be a win for the consumer and it can also be just what businesses need at a time when competitive pressures have been magnified.
In fact, it could be the difference between a business that holds on to satisfied customers and one facing relentless churn and diminishing reputation.
In 2011, Deloitte Access Economics estimated that the digital economy contributed about $50 billion or 3.6 per cent of GDP and to grow to over $70 billion by 2016. Improved consumer information security would encourage more people to participate in the digital economy knowing that they would not suffer negative consequences like identity theft and cyber-crime.
How can business cry poor?
The digital economy provides business with benefits and costs as does any other sales channel. One cost is the need to ensure digital security is central to all online activities and not ignored as an avoidable cost.
Businesses are responsible for consumer information, intellectual property, and commercial information. Failure to secure information should lead to repercussions starting with a loss of reputation, customers and financial penalty for repeat offenders.
This is the crux of the argument against the Privacy Alerts Bill 2013. If a business is forced to notify the Privacy Commissioner and customers of privacy breaches then there will be serious repercussions so it is no wonder that business representatives have likened this bill to castor oil.
Ultimately, business only has itself to blame. For the last five years the Privacy Commissioner, the Australian Law Reform Commission, government ministers and privacy advocates have been calling for business to get its collective head out of the sand and take information security seriously.
The Coalition has remained silent on its support for the Privacy Alerts Bill 2013. Will a Coalition government make the bill disappear in an effort to appease business or will the Coalition speak up before the election in support of every Australian’s basic right for their personal information to be secure?
It's an important question and businesses need to think outside the box when it comes to considering what sort of an environment they are hoping to foster. The introduction of a mandatory data breach notification regime may be a bitter pill for some to swallow but that doesn't preclude smart businesses from using in their own favour, especially at a time when consumers are happy to take their business elsewhere.
This article was published in reply to Jodie Sangster's Avoiding a country that cries 'data breach'
This debate was sparked by Mark Gregory's original article on the matter Can data breach notification laws survive the election?
Mark Gregory is a Senior Lecturer in Electrical and Computer Engineering at RMIT University.