Recent cyber attacks have caused law makers to rethink cyber crime laws, writes Middletons partner Dudley Kneller.
With yet another security breach coming to light in recent days it seems inevitable that some form of mandatory breach notification laws and enhanced cyber crime laws are just a matter of time. Just over a month after Justice, Home Affairs and Minister for Privacy and Freedom of Information Brendan O’Connor stated that development of mandatory breach notification laws appears to be "necessary", Citigroup, the Australian Institute of Company Directors (AICD) and Distribute.IT have all experienced serious data security breaches.
Earlier this month Citigroup announced that hackers had accessed Citigroup's online system which allows customers to manage their bank cards. The data compromised included names, account numbers, email addresses and other contact information. Approximately 360,000 customers were affected, significantly more than the initial figure of 210,000 initially provided by Citigroup.
Although the breach was discovered by Citigroup on 10 May, Citigroup was slow off the mark. Customers were not immediately notified and replacement cards were not issued to affected customers until over 2 weeks later. The public was made aware a further week after that.
In Australia the AICD breach occurred when a laptop was stolen from its Sydney office during a scheduled power outage when the building's security doors were disabled. The laptop held the information of about 28,000 members (including directors of some of Australia's largest companies, government bodies and charities) and 38,000 customers (including public and private companies). The data consisted of names, residential addresses, phone numbers and dates of birth.
In the last few days Australian webhosting provider, Distribute.IT, experienced the most serious breach yet which has had devastating consequences for the company and customers affected. The hack resulted in the loss of data of about 4,800 web sites. Distribute.IT initially spent some days trying to recover the data, only to declare that it was "unrecoverable" due to the extent of the damage to its systems. In the last few days NetRegistry opportunistically acquired the distressed company and they are now working closely with affected customers to transfer them across.
All of these breaches have serious consequences for the organisations involved as well as their customers. The Distribute.IT breach in particular left the company particularly exposed. Delays in notifying customers, inadequate security measures and unauthorised disclosure of personal information all pose significant risk to companies affected by security breaches. The costs involved in rectifying the breaches, issuing new cards and notifying affected customers, is significant. Impact on reputation cannot be underestimated either. These breaches have attracted broad interest from the media as well as from government. Regulators and companies affected by the breaches will have to work hard to reestablish trust from their customers and other stakeholders.
All this comes less than two months after a security breach at Sony sparked renewed Government interest in mandatory breach notification laws. The breach to Sony's servers resulted in hackers obtaining over 100 million users' account information and analysts have indicated that they expect that the breach will cost Sony about $200 million to recover from. Sony's failure to notify users until a week after discovery of the breach attracted broad criticism.
However, the issue of mandatory notification is not something new. The Australian Law Reform Commission (ALRC) pushed for the introduction of mandatory notification requirements in its 2008 review of Australian privacy law.
Specific recommendations included the introduction of a mandatory notification system requiring businesses to notify the Privacy Commissioner and affected persons that specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person. The recommendations also included a civil penalty system, to be enforced by the Privacy Commissioner where a business fails to issue a notification.
When businesses can expect the mandatory requirements to come into effect and what form these mandatory notification requirements will take is yet unclear.
The Government has not stopped there however. Following renewed interest in mandatory breach notification laws the Government last week introduced the Cybercrime Legislation Amendment Bill 2011 (Bill) to Parliament. The key changes proposed in the Bill include enhanced investigation procedures granting authorities preservation powers, development of an international network of information for investigating agencies and an increase in the number of cybercrime offences. The Bill brings Australia into line with the Council of Europe Convention on Cybercrime.
With the introduction of mandatory notification rules now seemingly inevitable and the strengthening of cybercrime laws with proposed new legislation last week, businesses who have taken steps to prepare will not only minimise exposure to negative publicity and risk of resulting liability, but they will also be best placed to respond to the likely introduction of new regulatory frameworks moving forward.