Credit providers included in new mandatory data breach reporting rules
The Australian Government's legislative timetable for the current sitting of Parliament includes the passage of new mandatory data breach requirements.The Government plans to introduce the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015, which sets out mandatory breach notification provisions for entities regulated by the Privacy Act, including credit reporting bodies and credit providers.When a business suffers a breach of secure information, accidental loss of data or negligent or improper disclosure of information, it will have to inform anyone affected as well as the Office of the Australian Information Commissioner.The amendment includes a detailed description of the types of credit information covered, ranging from credit card details to credit reports.Financial institutions will be responsibility for breach reporting if they have provided credit data to an overseas entity and that entity suffers a breach.The purpose of breach reporting is to give people affected an opportunity to take steps to mitigate any loss or harm by changing passwords, cancelling accounts and so on.Organisations reporting breaches will be required to assist affected individuals take remedial steps, such as issuing new passwords.A breach is a serious data breach when there is "a real risk of serious harm to the individual." Serious harm includes physical, psychological, emotional, economic and financial harm, as well as harm to reputation. Notification will be compulsory unless it would affect a law enforcement investigation or is deemed by the regulator to be contrary to the public interest.The OAIC will have the power to issue directions to organisations to issue breach notifications in situations where it judges that a serious breach has occurred and no notification has been made.Mandatory data breach reporting has been on the legislative agenda for some time.In 2013 the Australian Privacy Commissioner criticised the existing voluntary reporting system, saying that notifications had fallen despite an increase in the frequency of data breaches.The commissioner said in a statement: "The last couple of years have seen a number of high-profile data breaches and subsequent own motion investigations initiated by me, and research suggest that the frequency of data breaches in Australia has grown."Despite this upward trend, the Office of the Australian Information Commissioner only received 46 data breach notifications in 2011/12, an 18 per cent decrease from the previous year."I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring."The Labor Government introduced a mandatory reporting bill the same year but an election intervened and the bill lapsed.