NSW government agencies would be forced to reveal if they have been targeted by hackers under proposed legislation.
The reform would make NSW the first state to demand transparency on data breaches from its departments. The proposal comes after major hacks on Optus and Medibank have exposed legal flaws that allow cyber incidents to be kept secret.
In a separate development, the federal Attorney-General Mark Dreyfus is seeking to plug a similar loophole in the Privacy Act in light of the recent hacks.
A bill to amend the act in order to strengthen the Notifiable Data Breaches scheme passed the House of Representatives yesterday and is being looked at by a Senate committee ahead of a vote in that chamber before the end of the year.
That bill will also raise business penalties for serious privacy breaches from the current $2.2 million to fines as large as $50 million.
Separately, Dreyfus is expecting to receive a departmental review into the Privacy Act, which will inform a possible major overhaul of the 1988 legislation next year.
The new NSW bill would force government agencies to tell the privacy commissioner about any hacks involving personal information likely to result in serious harm. It would also require the agencies to tell the people who have been personally affected.
Those are similar provisions to what’s already in the federal Notifiable Data Breaches scheme, except the federal scheme applies to large private companies as well as public entities.
“Agencies will also have to satisfy a number of data management requirements, including making reasonable attempts to mitigate the harm done by a data breach, maintaining an internal data breach incident register, and have a publicly accessible data breach policy,” state Attorney-General Mark Speakman said.
The federal changes to the Privacy Act will give the Australian Information Commissioner new “information gathering power” that will allow it to assess suspected data breaches, and will also ensure the commissioner has “comprehensive knowledge” about what kind of information has been compromised in order to evaluate what harm could be done to individuals.
A pair of academics who have attempted to create a database of hacks, but found it near-impossible because of the lax rules around disclosures, have previously told Crikey there should be a central hub of information about breaches.
“There is huge scope for organisational judgment about disclosures … public disclosure is never required,” University of Sydney professors Jane Andrew and Max Baker said.
“We need a public repository of data breach information. All organisations should be required to file an annual notification so the public can build a better picture of data security, and to encourage organisations to foreground data security issues.”
Good
about bloody time
Next gen computers will hack everything. Then what?
Is this not trying to reinvent the wheel and avoid tricky bits and keeping regulatory loopholes for some public and private sector entities under the guise of less red tape or bureaucracy?
If Australia, like the UK post Brexit, simply adopted the EU’s GDPR &/or Digital Services Directive which are far more comprehensive and robust, then there is more focus upon data security, hacking etc. with penalties for those who ignore or make mistakes?