Australia’s Data Breach Laws: Too Little, Too Late

By | 2017/02/14

ITNews reports that Australia finally has mandatory data breach laws. Sadly, these are woefully inadequate, and should be a concern for anyone who transacts or interacts with Australian businesses and groups online.

princess bride

The data breach laws require applicable companies impacted by a data breach to notify customers within 30 days.

Applicable companies. 30 days.

That’s not consumer protection, that’s sophistry. We’ve waited years for mandatory data breach laws, and the ones that finally get introduced are sufficiently washed out that they leave citizens at significant risk of financial and identity theft.

Let’s start with 30 days. The Greens proposed a 3 day mandatory breach notification period. 3 days is a long time electronically – I’m reminded of Mr Data in Star Trek: First Contact:

Jean-Luc Picard: How long a time?
Data: Zero-point-six-eight seconds, sir. For an android, that is nearly an eternity.

3 days is almost an eternity electronically, but it’s a considerably smaller eternity than 30 days. 30 days is more than enough time for someone with personal sensitive information to rifle through a large number of your online accounts, skim banking or credit details, or leave you exposed in a large number of other ways. Saying that companies, once they become aware of a breach, get 30 days to notify affected users is literally like sticking a “please rob me” sign on the back of every user of electronic services in Australia.

But then, if that weren’t enough, then there’s the applicable companies. Excluded from these entities are:

  • Local government
  • Political parties
  • Businesses with less than $3,000,000 per annum turnover

Local governments may retain credit information for automated debits. Political parties will retain contact and possibly billing information for membership, donations, etc. And the number of businesses we might interact with online who have a turnover of less than $3,000,000 is quite high. Local florists. Local businesses. Small franchises, tradespeople, small hardware stores, etc.

Think of all the entities covered by local government, political parties and businesses with less than $3,000,000 a year turnover that you might have interacted with in the last twelve months.

Do you feel that your personal identity and financial status are secure knowing that businesses matching the above don’t have to report a breach at all, and businesses that are applicable get 30 days before they tell you?

If you do, you probably need to stop using the Internet.