The Federal Government has called in Symantec for consulting advice on forthcoming US-style data breach notification laws aimed at notifying consumers when a business has lost or compromised data linked to them.
Responding to Computerworld questions at a media conference, Symantec’s CEO Enrique Salem said the company had been working with the Australian Law Reform Commission and the Office of the Prime Minister and Cabinet on the first and second tranches of the proposed changes to Privacy act and the proposed introduction of data breach notification laws.
“Business here in Australia I predict will face these new disclosure laws I’ve seen these adopted around the world where when you lose data, there is a breach, then you have to notify the individuals,” he said.
“There are laws that are currently being worked on in Australia and New Zealand that will absolutely push the notion that if data is stolen, you have to say. Government has been working on [the laws]. We are advising the government on them, giving a point of view around what they should consider as part of the legislation.”
Salem said that Symantec was pushing for the Australian laws to include a safe harbour clause to minimise the need for disclosure on data which had not been compromised.
“What we are working towards in the US, and in Australia and New Zealand, is that disclosure are important, but we want to make sure there are some safe harbours,” he said. “If you can prove that a laptop that was stolen had some data on it, but that it hasn’t been compromised, then you shouldn’t have to disclose that, as we don’t think there is any risk.
“These laws will absolutely happen here and in New Zealand and they are already in the US. There they will expand from 46 different laws to one federal one, and in Europe the same thing. The public absolutely has a right to know, and the government will get pressure to enforce these kinds of laws.”
In October the Federal Government released its response to Privacy Act recommendations. Notably, however, the first stage does not deal with the sensitive issue of serious data breach notifications and the proposal to remove some exemptions
In May the Payment Card Industry (PCI) Security Standards Council said A lack of financial penalties and a mandate to publicly admit data breaches may be clouding the real state of credit card payment and customer information security in Australia.