Data security breaches are an ongoing concern for businesses, retailers, merchants and customers globally and in Australia. As a result the Federal Government’s much-mooted data breach notification bill is expected to be introduced in parliament in the coming months. While the timeline is aggressive it’s important to note that the bill has previously had support from the Greens and the Labour party.
The general gist of the legislation would require companies which generate revenue over $3M to inform the commissioner and the people affected by a compromise of their personal data if there were a real risk of serious harm posed by the release of the information. For example, if a person’s credit card details, identification details, passwords or other information were leaked or obtained fraudulently. At the moment, companies report to the Privacy Commissioner on breaches on a voluntary basis.
The legislation raises questions, concerns and issues for all concerned and there have been opinions put forward that are both positive and negative from various industry and business groups. Some have argued the existing privacy laws are enough and that it may place extra burdens on businesses to report to government every time they had a data breach.
Mandatory data breach laws will result effectively in companies publicizing that they are the victims of a data breach, this could, based on recent case studies result in negative brand exposure, lost customers, lost sales and revenue, and potentially penalties and fines.
Similarly, some groups have said that the wording of the bill needs further debate and that elements such as the question of “harm” to an individual in a data breach may be hard to assess at times.
And will level 1 merchants, who already have stringent requirements regarding PCI DSS compliance, be affected by this legislation? While it will apply to all companies above the revenue threshold, it is clear that being PCI DSS compliant will minimize exposure with regard to credit card data loss.
What, for example, of the practicalities? It can take an average of 243 days, for instance, from when an entity is hacked and when it discovered the breach. It’s important to note that the draft legislation is based around the time of awareness.
While the government has been clear it wants to tackle cybercrime, with a $230 million strategy unveiled this year, large organisations such as Telstra and PayPal say the legislation places an unnecessary onus on the entity which had had the breach to notify authorities. Telstra argued it could be a case where various notifications are issued, meaning the consumer becomes confused about what’s going on.
As well, there is the issue of how to contact customers. It was pointed out that some cloud service contracts specifically limit the ability of the cloud service provider to access customer data. Microsoft pointed out “the provider is limited in its ability to make an accurate determination of whether or not serious harm has occurred”.
To find out more about the latest changes to the bill and how this impacts PCI DSS Compliance for your business, speak with a PCI DSS Specialist today here.