Wednesday, August 22, 2007

Australia's data privacy landscape questioned [Data Privacy - Australia]

When it comes to privacy, bank customers in Australia are left to choose between garbage, trash or junk. That is how Gartner's vice president of research, Rich Mogull, describes the current data privacy landscape in Australia.

A strong advocate of the introduction of disclosure laws which force banks to notify customers of a security breach, Mogull said the Australian government needs to act by implementing legislation that includes penalties to ensure compliance.

Without these laws, Mogull said customers cannot make an informed decision when seeking a financial services provider.

He said breaches are occurring in Australia but it is impossible to get meaningful statistical data that could provide some insight into the current IT security landscape.

"There is no legislative protection in Australia just the National Privacy Principles [under the Privacy Act] which are not enforced; the current landscape in Australia is what it was like in the United States pre-2005 before the first breach notification law was introduced in California," he said.

Mogull's comments delivered at Gartner's IT security summit in Sydney today are part of a broader push for changes to the Privacy Act currently being reviewed by the Australian Law Reform Commission (ALRC).

The ALRC is releasing a discussion paper next month recommending the introduction of security breach disclosure laws in Australia with the final report to be delivered to the federal Attorney General, Philip Ruddock in March, 2008.

The recommendation also has the support of the Federal Privacy Commissioner, Karen Curtis.

Mogull said disclosure laws in the US have been the biggest single driver in improving the IT security landscape. Under the Californian law, which he said is the first of its kind in the world, if a specific combination of data is disclosed then customers must be notified. That combination includes the customer's first and last name, along with credit card and banking details, and social security number. "The law was ignored for two years until the Choice Point breach then the flood gates opened," Mogull explained.

"Previously there was no external pressure to act. If an organization is losing customer data and it doesn't affect the business then there is no impact.

"The customer suffers but the business doesn't. There is a built-in market force to keep your mouth shut. Basically, market forces are working against privacy protection."

Mogull said 40 states in the US now have disclosure laws providing customers with a level playing field to make informed decisions.

"The IT security landscape here today has been reduced to a choice of garbage, trash or junk but bad publicity about breaches can change that, it can force change," he said.

"Australia isn't any safer than the US when it comes to data protection I know breaches are occurring as I work with the financial services sector here and know what security programs the banks have in place.

"In fact I think it is a much harsher environment here, especially when it comes to phishing and Australia's proximity to Asian economies; it is just hidden more from consumers.

"There are no market forces pushing organizations to do better."

Mogull said disclosure laws are a good starting point to improve the IT security landscape because it would enable the collection of valuable data and to understand how breaches occur.

"With good stats we can make good decisions," he added.

While Mogull believes the laws should include penalties, he said there should also be a built-in mechanism that allows consumers to take legal action themselves.

He admits organizations may need to increase budgets to be compliant.

"If an organization is currently spending five percent of their budget on security they may have to bump that up to seven percent; but this usually involves a shifting of funds rather than new money," Mogull said.

The Australian Bankers Association (ABA) CEO, David Bell, told Computerworld banks already have a legal duty to protect customer data under a number of laws without the introduction of data disclosure legislation.

Bell said confidentiality and privacy is at the core of customer relationships.

He went on to say it would be premature to comment on the introduction of data disclosure laws before the ALRC's final report is handed down next year.

"But we are certainly awaiting the outcome of the report as the ABA has made a submission to the ALRC on the privacy review," Bell said.

No comments: