Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Crikey
Crikey
National
Anton Nilsson

NSW tackles data breach law flaw in the wake of the Optus and Medibank hacks

NSW government agencies would be forced to reveal if they have been targeted by hackers under proposed legislation.

The reform would make NSW the first state to demand transparency on data breaches from its departments. The proposal comes after major hacks on Optus and Medibank have exposed legal flaws that allow cyber incidents to be kept secret.

In a separate development, the federal Attorney-General Mark Dreyfus is seeking to plug a similar loophole in the Privacy Act in light of the recent hacks.

A bill to amend the act in order to strengthen the Notifiable Data Breaches scheme passed the House of Representatives yesterday and is being looked at by a Senate committee ahead of a vote in that chamber before the end of the year.

That bill will also raise business penalties for serious privacy breaches from the current $2.2 million to fines as large as $50 million.

Separately, Dreyfus is expecting to receive a departmental review into the Privacy Act, which will inform a possible major overhaul of the 1988 legislation next year.

The new NSW bill would force government agencies to tell the privacy commissioner about any hacks involving personal information likely to result in serious harm. It would also require the agencies to tell the people who have been personally affected.

Those are similar provisions to what’s already in the federal Notifiable Data Breaches scheme, except the federal scheme applies to large private companies as well as public entities.

“Agencies will also have to satisfy a number of data management requirements, including making reasonable attempts to mitigate the harm done by a data breach, maintaining an internal data breach incident register, and have a publicly accessible data breach policy,” state Attorney-General Mark Speakman said.

The federal changes to the Privacy Act will give the Australian Information Commissioner new “information gathering power” that will allow it to assess suspected data breaches, and will also ensure the commissioner has “comprehensive knowledge” about what kind of information has been compromised in order to evaluate what harm could be done to individuals.

A pair of academics who have attempted to create a database of hacks, but found it near-impossible because of the lax rules around disclosures, have previously told Crikey there should be a central hub of information about breaches.

“There is huge scope for organisational judgment about disclosures … public disclosure is never required,” University of Sydney professors Jane Andrew and Max Baker said.

“We need a public repository of data breach information. All organisations should be required to file an annual notification so the public can build a better picture of data security, and to encourage organisations to foreground data security issues.”

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.