Presentation is loading. Please wait.

Presentation is loading. Please wait.

AISA Brisbane Branch Meeting 8 June 2016

Published byJessica Cobb Modified over 6 years ago

Similar presentations

Presentation on theme: "AISA Brisbane Branch Meeting 8 June 2016"— Presentation transcript:

1 AISA Brisbane Branch Meeting 8 June 2016
Agenda - Introduction - Thank you to venue sponsor Dimension Data - Discussion: Mandatory Data Breach Notification - Wrap and close 6:00 pm

2 AISA Brisbane Branch Meeting 8 June 2016
Mandatory Data Breach Notification Discussion Chatham House rules Scene setting AISA submission – Jodie Siganto Discussion

3 AISA Brisbane Branch Meeting 8 June 2016
MDBN issues from practice contributed by Nicole Murdoch: Time to notification – I need to act quickly Ramifications for a contract of which I am a part e.g. an NDA They decide harm, I may not have the same view

4 AISA Brisbane Branch Meeting 8 June 2016
Mandatory Data Breach Notification Discussion

5 Data Breach Notification in Australia
Jodie Siganto June 2016

6 History First Data Breach Notification Law (DBNL) – introduced in California in 2002 Last minute inclusion Adopted through out the U.S. at State level 47 different State DBNLs Spread through "diffusion" Federal DBNL proposed but not passed Businesses with PII on > 10,000 individuals must notify without unreasonable delay unless ‘there is no reasonable risk that the breach will result in any harm’ Data breach notification provisions in GLBA and HIPPA Notification laws are a unique type of regulation Most other regulation is either: Ex ante regulation: regulating you before you do something e.g. safe workplace regulation, can’t practice as a doctor unless you’re registered, must wear a seat-belt, must retire as a judge once you’re 70 yo Ex post liability: penalising you after you’ve done something wrong e.g. disqualify you from acting as director after bankruptcy, fine you for driving at > 60kmh Many differences between each State’s law: Application: Business incorporated in the State, Person whose data affected resides in the state Triggers & types of info affected e.g.: Breach of system Plus Unauthorised acquisition by third party (California) Unauthorised acquisition plus "the database owner knows or should know that it has resulted in or could result in identity deception identity theft or fraud" (Indiana) Requirements on who to report to: Regulator (State Attorney General) and/or affected people, Other parties – law enforcement Remedies: Fines, State prosecution, civil action Obama Cybersecurity Bill Most states in the US have passed their own data breach notification laws, many based on the Californian law that requires notification of security breaches to affected consumers residing in California. However, there are a number of different proposals currently being considered by the US legislature to create a consistent national notification scheme. The model proposed by the Obama administration would only apply to businesses that collect “sensitive personally identifiable information” concerning more than 10,000 individuals during any 12 month period. These businesses would be required to notify affected individuals of a data security breach unless there is no reasonable risk that the breach will result in any harm. Notifications would need to be made without unreasonable delay and no later than 60 days from the breach. Other proposals currently being considered might require faster notification, with one suggestion being that the notification should take place within 48 hours of completing an investigation into the breach.

7 U.S. Experience Better security?
Significant compliance burden Increased data security litigation - class actions & action by State Attorneys General Introduction of "reasonable information security" laws: Any legal entity that “owns, licenses, stores, or maintains personal information about one or more residents of Massachusetts” is required to “develop, implement, maintain, and monitor a comprehensive, written information security program applicable to any records containing such personal information.” Better security? Rise in use of encryption?? Slight reduction in identity theft (-1.8% decline)

8 EU Experience Current DBNL only applies to electronic communication providers Regulator to be notified of all breaches If serious breach - must notify affected persons Trigger: "likely to adversely affect the protection of the personal data or privacy“ Proposed new Data Protection Law will include DBN: Applicable to all organisations that hold personal information Must notify authority as soon as possible & if feasible within 24 hours Penalties of up to 5% of annual revenue Network and Information Systems Directive: New Cybersecurity Law for Essential Service Providers Includes DBN obligations – notify regulators of serious breaches

9 History of DBN in Australia
DBN Recommended by ALRC in its 2008 review (Chapter 51) Reasons for recommending DBN: Can protect the PI from further exposure Encourages greater transparency about information-handling practice DBN not included in 2012 Privacy Act Amendment Bill 2012: AG Discussion Paper released in 2012 2013: Privacy Act (Privacy Alerts) Bill 2014: Same Bill re-introduced in Senate 2015: Parliamentary Joint Committee on Security: Reviewed proposed mandatory data retention law Recommended passage of DBN before end of 2015 Draft new legislation released December 2015

10 DBN Bill Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 New Part IIIC to be inserted in the Privacy Act Subject to same exceptions as Privacy Act: Doesn’t apply to SMEs, journalists, political parties, employee records held by non-government agencies Applies to ‘personal information’ Applies where there has been a ‘serious data breach’: Unauthorised access, disclosure or loss; and Real risk of serious harm Draft legislation released for discussion: Not introduced into Parliament yet If passed – will commence 12 months from royal assent New Part IIIC to be inserted in the Privacy Act Subject to same exceptions as Privacy Act: Doesn’t apply to SMEs, journalists, political parties, employee records held by non-government agencies Applies to ‘personal information’ Separate provisions for loss of credit reporting information and tax file numbers Serious Data breach” is an unauthorised access to or disclosure of Personal Information which will result in a real risk of serious harm to an individual whose PI has been disclosed a loss of Personal Information which is ‘likely’ to result in unauthorised access to or disclosure of Personal Information a loss of information which ‘may’ result in unauthorised access/disclosure of the information where the information is of a kind specified in the regulations.

11 Real Risk of Serious Harm
“Real Risk” defined to mean “not remote” “Harm” defined to include: Physical harm Psychological harm Emotional harm Economic harm Financial harm Harm to reputation AISA Rec: Need more clarification. E.g. ‘possible’ AISA Rec: Should be assessed objectively The Attorney-General's Department (Department) submitted: [The proposed standard] is therefore a commonly understood concept amongst agencies and organisations that have sought to comply with the OAIC guide.11 'the OAIC will prioritise the amendment of the [OAIC guide] to address and provide clarity on the operation of the new mandatory notification requirements'. Committee Review of previous bill – considered meaning of “real risk of serious harm” - AG submitted: “commonly understood concept” Explanatory Memo: Want to capture data breaches that are significant enough to warrant notification but don’t want to: create or impose an unreasonable compliance burden on entities or risk “notification fatigue” Evaluate Risks Associated with the Breach: Information: What type of information was involved, How sensitive is it, Was it protected by encryption, How could it be used? Breach: What was the cause and extent of the breach, Was the info lost or stolen, Has the info been recovered, What steps have been taken to mitigate the loss? Who is affected: How many and what sort of people/organisations are affected? Foreseeable harm: What would be the reasonable expectations of affected parties, Who is the recipient, Will the info come into the possession of the media, What damage could come to the individual, the organisation or the public from the breach?

12 Timing of notice Notify as soon as practicable once you are
You are aware You ought reasonably be aware that there are reasonable grounds to believe there has been a “serious data breach” Can take time to assess: Have up to 30 days to consider whether there are reasonable grounds to believe that a serious data breach has occurred before notification required AISA Rec: 30 days is adequate time

13 Who & what must be notified
Each individual who is significantly affected by the breach Copy of notice to the Privacy Commissioner Notice of breach must contain: Identity and contact details of entity Description of breach Kinds of information concerned Recommended steps for affected persons to take in response to the breach Not an exhaustive list AISA Rec: Commissioner should publish details (anonymised if necessary) of notified data breaches.

14 Commissioner’s Powers
Privacy Commissioner can: Direct entity to provide notice Exempt entities from notification where in public interest Failure to notify in accordance with Act = interference with the privacy of an individual Privacy Commissioner has all the powers and can access all remedies available where there’s been an interference e.g. Do investigation Make determination Apply for civil penalty

15 Other AISA Recommendations
Identify appropriate reporting mechanism where more than one entity ‘holds’ the PI Expert advisory panel be established to advise Commissioner on clarifications and development of guidance Provide 3 year window for PI held overseas to allow for changes to relevant contractual provisions

16 Likely Effect of DBN Laws in Aus
More visibility of the problem? Slight reduction in identity theft Could to lead to more litigation May lead to broader data security regulation Encourage better security ?? 72% of AISA members believe that DBN will result in better network and data security But compare experience in U.S. t is short-sighted to rely on notice alone to protect against the problems that flow from data security breaches. Without doubt, the real concern is not with notification, by itself, but with unsuccessful data security practices within organisations. From this perspective, data breach notification laws that don’t incorporate information security and risk assessment procedures are not likely to achieve long-term success because they provide few incentives to encourage full disclosure and regulatory compliance over time.[123] While notification might be a useful way to gain a better understanding of the scope and scale of the problem, as well as to give customers more control over their personal information and encourage organisations to boost their network security, it is not going to prevent data breaches from occurring over time.[124] Moreover, the traditional model of data breach notification laws, discussed above, fails to differentiate between organisations that implement good quality information security practices in the long-term, and those that demonstrate a wonton and reckless disregard for the personal information they are responsible for protecting.[125] What is needed is a processed-based model that combines corporate accountability and the implementation of effective technical and non-technical organisational practices.[126] More collaborative forms of regulation can be expected to reduce the need for punitive measures, as well as decrease the cost of public enforcement (particularly when non-compliance within organisations is difficult to detect and easy to cover up).[127] The process-oriented approach to regulation has become the instrument of choice for managing risk in publicly traded companies, as well as banks, in the US.[128] Organisations in a multiplicity of different industry sectors are now required by law to abide by industry-specific ‘soft’ management process standards, such as the GLBA, discussed above, and establish risk-assessment and information security schemes to protect information.[129] Since ‘risk’ itself is highly context-specific, and plays out differently across a range of diverse industry sectors, the choice of security measures and technology implemented can depend upon the type of organisation, in terms of its size, its sophistication/complexity, the type and scope of its business activities, as well as the nature and quality of the data protected.[130] A risk-based approach uses less coercive forms of regulation and emphasises self-regulatory initiatives wherever possible.[131] It allows for mitigation objectives to be determined internally, on an individual basis, according to the idiosyncratic threats faced by the organisation at the relevant time period, as well as the costs of responding to them.[132] The goal is to simply set ‘reasonable’ standards for information security, and leave it up to the regulated entities to develop their own security processes, rather than stipulating the measures that must be adopted, or the outcomes that must be achieved.[133] Ultimately, this leaves regulated firms with the task of setting appropriate standards, and it enables them to review, rework and revise their own risk-reduction goals independently, particularly as technology progresses.[134]

17 Discussion Other issues:
Does this mean that every entity should notify (assuming every entity has been compromised in some way)? Does DBN legislation favour organisations who don’t have good detective controls in place? Why would you notify? Is the Privacy Commissioner the right regulator – rather than ASIC, ACCC?

Download ppt "AISA Brisbane Branch Meeting 8 June 2016"

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.

I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)

CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
Data Protection Act AS Module 1 10.8 Heathcote Ch. 12.

Data Protection Act AS Module Heathcote Ch. 12.
The Data Protection Act 1998. What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
© Copyright 2010 Hemenway & Barnes LLP H&B 641682 1.

© Copyright 2010 Hemenway & Barnes LLP H&B
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.

PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Similar presentations

Ads by Google