NSW government agencies would be forced to reveal if they have been targeted by hackers under proposed legislation.
The reform would make NSW the first state to demand transparency on data breaches from its departments. The proposal comes after major hacks on Optus and Medibank have exposed legal flaws that allow cyber incidents to be kept secret.
In a separate development, the federal Attorney-General Mark Dreyfus is seeking to plug a similar loophole in the Privacy Act in light of the recent hacks.
A bill to amend the act in order to strengthen the Notifiable Data Breaches scheme passed the House of Representatives yesterday and is being looked at by a Senate committee ahead of a vote in that chamber before the end of the year.
That bill will also raise business penalties for serious privacy breaches from the current $2.2 million to fines as large as $50 million.
Separately, Dreyfus is expecting to receive a departmental review into the Privacy Act, which will inform a possible major overhaul of the 1988 legislation next year.
The new NSW bill would force government agencies to tell the privacy commissioner about any hacks involving personal information likely to result in serious harm. It would also require the agencies to tell the people who have been personally affected.
Those are similar provisions to what’s already in the federal Notifiable Data Breaches scheme, except the federal scheme applies to large private companies as well as public entities.
“Agencies will also have to satisfy a number of data management requirements, including making reasonable attempts to mitigate the harm done by a data breach, maintaining an internal data breach incident register, and have a publicly accessible data breach policy,” state Attorney-General Mark Speakman said.
The federal changes to the Privacy Act will give the Australian Information Commissioner new “information gathering power” that will allow it to assess suspected data breaches, and will also ensure the commissioner has “comprehensive knowledge” about what kind of information has been compromised in order to evaluate what harm could be done to individuals.
A pair of academics who have attempted to create a database of hacks, but found it near-impossible because of the lax rules around disclosures, have previously told Crikey there should be a central hub of information about breaches.
“There is huge scope for organisational judgment about disclosures … public disclosure is never required,” University of Sydney professors Jane Andrew and Max Baker said.
“We need a public repository of data breach information. All organisations should be required to file an annual notification so the public can build a better picture of data security, and to encourage organisations to foreground data security issues.”
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.