Anda di halaman 1dari 26

1lLle: !"#$ &'$()*+,* !"#$$% -##. /*0.*(")1 !

*(* 2)#*34
-"(,5,3*(,"0 6*7$ 8 &0. 95 :"; <4*( =,0.>
AuLhor: :*)* / :?1(4
LA uaLe (approved for prlnL): 20 CcLober 2013
uCl: 10.3778/!LlS.2013.22.SmyLh.1



Note to users: Articles in the Epubs ahead of print (EAP) section are peer
reviewed accepted articles to be published in this journal. Please be aware
that although EAPs do not have all bibliographic details available yet, they
can be cited using the year of online publication and the Digital Object
Identifier (DOI) as follows: Author(s), Article Title, Journal (Year), DOI, EAP
(page #).
The EAP page number will be retained in the bottom margin of the printed
version of this article when it is collated in a print issue. Collated print
versions of the article will contain an additional volumetric page number.
Both page citations will be relevant, but any EAP reference must continue to
be preceded by the letters EAP.

ISSN-0729-1485
Copyright ! 2013 University of Tasmania
All rights reserved. Subject to the law of copyright no part of this publication
may be reproduced, stored in a retrieval system or transmitted in any form or
by any means electronic, mechanical, photocopying, recording or otherwise,
without the permission of the owner of the copyright. All enquiries seeking
permission to reproduce any part of this publication should be addressed in
the first instance to:
The Editor, Journal of Law, Information and Science, Private Bag 89, Hobart,
Tasmania 7001, Australia.
editor@jlisjournal.org

http://www.jlisjournal.org/


EAP 1
Does Australia Really Need Mandatory Data Breach
Notification Laws And If So, What Kind?
SARA M SMYTH
*

Introduction
IT security is a vital part of the competitive strategy of any business as it
facilitates the collection, storage and transmission of personal information
which is vital to success in todays global marketplace. Yet safeguarding
information has become a complex task for organisations operating within
global information networks, as it invariably exposes them to new security
risks.
1
Until recently, businesses could cover up data security breaches
because they were not under a legal duty to disclose them to anyone.
2

However, the enactment of data breach notification laws in many parts of the
Western world has uncovered the misuse of data by organisations in a variety
of industry sectors. This is significant when one considers that just one data
security breach can jeopardize the personal information of people in multiple
jurisdictions around the world.
3

Mandatory data breach notification has been defined by the Australian
Government as,
a legal requirement imposed upon particular entities to provide
notice to affected persons and the relevant regulator when
certain types of personal information are accessed, obtained,
used, disclosed to, copied, or modified by unauthorized
persons.
4

Generally, unauthorised access can occur as a result of a malicious breach of
the secure storage and handling of that information (eg a hacker attack),

* BA; LLB; LLM; PhD (Law). Associate Professor, Bond University, Faculty of Law,
Gold Coast, Australia.
1
Cecile de Terwangne, Is a Global Data Protection Regulatory Model Possible? in
Gutwirth, et al (eds), Reinventing Data Protection? (Springer, 2009) 177.
2
Vincent R Johnson, Cybersecurity, Identity Theft and the Limits of Tort Liability
(2005) 57 Southern California Law Review 255; Paul M Schwartz and Edward J
Janger, Notification of Data Security Breaches (2006) 105 Michigan Law Review 913,
917.
3
Ibid 917.
4
Commonwealth of Australia, Attorney-Generals Department, Australian Privacy
Breach Notification (Discussion Paper, October 2012) 2
<http://www.ag.gov.au/Consultations/Documents/AustralianPrivacyBreachNot
ification/AustralianPrivacyBreachNotificationDiscussionPaper.PDF>.
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 2
accidental loss (most commonly of IT equipment or hard copy documents), a
negligent or improper disclosure of information, or otherwise.
5

This Article explores how to best implement mandatory data breach
notification laws in Australia. Currently, there is no obligation under
Australian law mandating organisations to report data breaches to regulatory
agencies or affected individuals. The lack of oversight and secrecy around
data breaches makes it difficult to generate reliable statistics about the nature
and quantity of these incidents occurring across the nation. The threshold
question, of course, is whether such a scheme is warranted. The issue of
whether Australia needs these laws is an issue ripe for debate because former
Prime Minister Julia Gillards Government introduced a mandatory data
breach notification bill into Parliament in May 2013, before being defeated in
an election a mere four months later.
6
The Bill came more or less five years
after the Australian Law Reform Commission (ALRC) concluded a twenty-
eight month inquiry into the efficacy of the federal Privacy Act and released its
Review of Australian Privacy Law which recommended that a data breach
notification scheme be implemented at the federal level in Australia.
7
The
ALRC examined data breach notification laws in other jurisdictions,
particularly those in the United States (US) and the European Union (EU),
and ultimately recommended that the issue be dealt with as a privacy matter
through changes to Australias privacy law regime.
8

An important argument in favour of mandatory data breach notification is
that it can give people the opportunity to reduce the impact of data security
breaches, such as by cancelling credit cards or changing account passwords,
and it can increase public confidence in the handling of consumer
information. Critics counter that data breach notification laws negatively
impact businesses. And its true that the stakes for companies are extremely
high an exposed data leak will almost certainly have a negative impact
upon consumer confidence in a breached organisation, as well as its brand
and bottom line. It is evident, though, that by enacting these laws, the
Australian Government would enable business owners, consumers, law
enforcement agents and policy makers to gain a more accurate picture of the
data security breaches occurring each year.

5
Ibid.
6
The Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 was recently
circulated by the Federal Attorney Generals Department on a limited and
confidential basis. Darren Paul, Exclusive: Data Breach Notification Bill Revealed (2
May 2013) Secure Business Intelligence Magazine
<http://www.scmagazine.com.au/News/341776,exclusive-data-breach-
notification-bill-revealed.aspx>.
7
Australian Law Reform Commission (ALRC), Review of Australian Privacy Law,
Discussion Paper No 72 (September 2007)
<http://www.austlii.edu.au/au/other/alrc/publications/dp/72/>.
8
Commonwealth of Australia, Attorney-Generals Department, above n 4, 5.
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 3
Following this Introduction, Part II looks at data breach notification laws
implemented in jurisdictions outside Australia. Attention is given to the state-
focused legislative scheme adopted throughout the Unites States and the
intra-state model implemented across the European Union. This analysis is
significant because the ALRC looked to the approaches adopted in these
jurisdictions when considering how Australia should implement mandatory
data breach notification laws at the federal level. Following this, Part III, looks
at the mandatory data breach notification scheme proposed by the Gillard
Government. Given the importance of this issue, it is recommended that
Prime Minister Abbotts Government endorse the creation of a mandatory
data breach notification scheme, of a similar kind, in the future.
Ultimately, what is needed is a holistic graded approach which combines
hard regulatory requirements, in the form of data breach notification and a
statutory duty of sound information security practices, along with soft
requirements for self-regulation through risk-management, employee
education, and the like. The discussion in Part IV, builds upon these
recommendations. The trend in the US for regulating publicly traded
companies, as well as banks, is to set reasonable standards for information
security, and leaves it up to the regulated entities to develop their own
information security processes. With this in mind, Part V concludes with a
summary and recommendations for the adoption of a similar approach in
Australia.
1 Mandatory Data Breach Notification Laws Outside
Australia
There are two primary purposes behind all data breach notification laws.
9
The
first is to impose reputational sanctions upon organisations with substandard
information security practices and compel them to improve their data security
procedures and policies.
10
The second is to formally protect and enhance the
rights of consumers to control how their personal information is collected,
utilised and divulged to others and, moreover, to ensure that those affected
by data breaches are notified of this risk and given an opportunity to mitigate
their losses.
11

As a general rule, data breach security notification laws address the following
issues: the question of what constitutes a security breach, as well as harm;
the meaning of personal information; the person(s) who must be notified
and when notification must take place; how notification is to occur and what
the notification should contain; and the consequences for failing to notify

9
Mark Burdon, Bill Lane and Paul von Nessen, The Mandatory Notification of Data
Breaches: Issues Arising for Australian and EU Legal Developments (2010) 26(2)
Computer Law & Security Review 115.
10
Ibid.
11
Ibid.
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 4
and/or neglecting to abide by the mandatory data protection rules.
12
The
obligation to notify, which is fundamental to all data security breach
notification laws, is intended to increase accountability on the part of public
and private organisations by ensuring that these entities assume
responsibility for the information they collect and, in turn, become
accountable for their actions in the storage and use of that data. This does not
necessarily include punishing breached entities, which is frequently done in
the US, because this might discourage organisations from reporting breaches
to anyone.
From this point of view, the normative basis for data breach notification law
is the management of risk by both regulators and stakeholders.
13

Governments can take steps to limit the risks faced by individuals and
organisations by imposing legal and technical standards while taking into
account how quickly technological capabilities can change.
14
Ultimately,
though, the protection of consumers personal information rests on risk
management decisions made by the relevant stakeholders in terms of whether
or not the appropriate protections are in place, or the relevant precautions are
adhered to.
15
Regulation can stem from a combination of legal rules, technical
standards, and management norms, including risk-management, surveillance
and enforcement. The government can set market-oriented standards that
seek to reduce risk and increase safety, and stakeholders can take precautions
and implement systems to reduce harm.
16
In other words, law, technology
and self-regulation have an important and equally legitimate role to play in
enhancing accountability and mitigating risk. As discussed below, mandatory
data breach notification law is only one component of this regulatory
objective.
This Part examines mandatory data breach notification statutes implemented
in jurisdictions outside Australia. The first example of mandatory data breach
notification laws was implemented by the US Government, following a
number of large-scale data breach incidents across America. Most notably,
approximately 160 000 individuals had their social security numbers and
other private information forsaken by ChoicePoint, a company that compiles
consumer data for resale (which is now a division of LexisNexis), resulting in
more than 800 cases of identity theft.
17
In the wake of that alarming episode,
the Attorney General of California declared that, [v]ictims of identity theft
must act quickly to minimize the damage; therefore expeditious notification

12
Jacqueline May Tom, A Simpler Compromise: The Need for a Federal Data Breach
Notification Law (2010) 84 St Johns Law Review 1570, 1577.
13
Pierre Trudel, Privacy Protection on the Internet: Risk Management and
Networked Normativity in Gutwirth, et al (eds), Reinventing Data Protection?
(Springer, 2009) 318.
14
de Terwangne, above n 1, 175.
15
Ibid.
16
Trudel, above n 14, 329.
17
Tom, above n 12, 1569.
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 5
of possible misuse of a persons personal information is imperative.
18

Unfortunately, though, Californias data breach notification statute did little,
if anything, to stem the rising tide of data security breaches across the US.
Regan reports that,
[the ChoicePoint breach] was quickly followed by other similar
disclosures of security breaches by the LexisNexis Group, Bank
of America, and Citibank ... [and] by the end of October, 2005,
the Privacy Rights Clearinghouse had identified eighty data
breaches in the previous eight months, involving [personal data
belonging to] more than 50 million people.
19

The enormity of the crisis and the resulting media attention it garnered, in
addition to public and governmental fears about identity theft, brought the
problem to the attention of legislators throughout the country.
20
Californias
data breach law was exceptional and unique until a similar statute was
passed in the state of Arkansas on 31 March 2005.
21
Since then, it has served as
a model for a plethora of other state initiatives, and it has had a national
impact on the storing and safeguarding of personal information in
organisations across the US.
The data protection system implemented in the US is complex and multi-
tiered, comprising federal and state regulations, in addition to more narrowly
targeted sector-specific laws. Generally speaking, the state-wide laws provide
a market-based solution that, on the one hand, promotes consumer protection
through post-hoc measures including notification and mitigation, while, on the
other, compels the implementation of remedial information security solutions,
such as the implementation of sound data protection policies and practices. In
addition, there have been a large number of federal proposals put forward for
national legislation in relation to mandatory data breach notification which
have not been realised. In contrast, the European Union has adopted a
comprehensive protection regime at the intra-state level. These divergent
regulatory models illustrate that there are a variety of ways to consider the
problem of data protection, not least with respect to the question of whether it
is best dealt with the perspective of privacy or security in terms of

18
California Legislative Counsels Digest, Bill Number: SB 1386
<http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-
1400/sb_1386_bill_20020630_amended_asm.html>. See also Benjamin Wright,
Internet Break-ins: New Legal Liability (2004) 20(3) Computer Law and Security 171,
171.
19
Priscilla M Regan, Federal Security Breach Notifications: Politics and Approaches
(2009) 24(3) Berkley Technology Law Journal 1103, 1105.
20
Ibid.
21
Ark Code Ann 4-110-101 to 108 (2010).
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 6
establishing technical safeguards, risk assessment/risk management, harm
reduction, accountability, and so on.
22

However well intended they are, though, data breach notification laws have
been controversial in the US and the EU. Recent evidence shows that the
success of breach notification statutes in the US may actually be extremely
low, or even insignificant.
23
A well-documented study at Carnegie Mellon
University examined reporting data collected from the Federal Trade
Commission (FTC) for each state from 2002 to 2009, and compared states with
data breach notification laws to those without them. If the laws were effective,
the states with data breach notification laws should have experienced a
reduction in identity theft incidents compared with everyone else. Yet the
researchers found that the laws decreased identity theft by merely 1.8%.
24

While the laws were most effective in the 6-12 months following their
implementation, this was simply the result of a temporary heightened
awareness by consumers of the notifications, causing them to briefly take
more precautions.
25

These findings do not suggest that the data breach notification laws
implemented at the state-level in the US have been effective at curbing
identity theft where that crime is much more prevalent than in the European
Union or Australia.
26
One might presume then that the figures in these other
jurisdictions would be even lower. On the other hand, breach notification is
about more than simply reducing the incidents of identity theft. It is about
enabling people to have greater control over their personal information and
encouraging organisations to invest in security technologies. These issues are
explored in further detail in the remainder of this Part.
1.1 The United States
The Californian Civil Code 1798.29(a), which came into effect 1 July 2003,
requires Californian businesses that suffer data breaches of unencrypted
personal information to notify affected residents about it within a reasonable

22
de Terwangne, above n 1, 180-181.
23
Kristof van Quathem, Personal Data Security Breach Notification in the
European Union: First Step Taken, More to Come (2010) World Data Protection
Report, Bureau of National Affairs, 21
<http://www.cov.com/files/Publication/3c4eadcd-c074-44f8-925f-
4a63d5304d70/Presentation/PublicationAttachment/9c8fb8a0-b55a-4464-ac4b-
4a7722eda833/Security%20breach%20Notigication%20in%20the%20EU,%20first%2
0step%20taken,%20more%20to%20come.pdf>.
24
Sasha Romanosky, Rahul Telang and Alessandro Acquisti, Do Data Breach
Disclosure Laws Reduce Identity Theft? (2011) 30(2) Journal of Policy Analysis and
Management 256.
25
Ibid.
26
van Quathem, above n 23, 21.
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 7
time, without delay.
27
Notice must be particularised in that it must identify
the source and victim of the breach.
28
However, notification can occur via
letter, electronically (such as by email) or by posting on the organisations
website, or via state media sources, if the breach involves more than half a
million people or would exceed a cost of more than USD$250,000.
29

Without a doubt, the focus of the California statute is on giving notice to
customers within the most expedient time possible and without
unreasonable delay
30
unless (a law enforcement agent or agency decides that)
it will impede a criminal investigation.
31
The underlying policy rationale is
that the apprehension and prosecution of suspects in identity theft cases is
more important than enabling the victims to protect themselves in the
aftermath of a breach and to mitigate their losses.
32
In addition to the
imposition of criminal penalties, the law also enables victims to sue breached
organisations in civil court for failing to abide by the notification and data
security requirements.
33

Furthermore, according to the California statute, any person or business
must notify the owner or licensee of [any breach of security of personal
information]
34
following any unauthorized acquisition of computerized data
that compromises [its] security, confidentiality, or integrity.
35
Building on the
aforementioned work of Schwartz and Janger, the authors Burdon, Lane and

27
Cal Civil Code 1798.82(e) (2006). The Califonia Civil Code 1798.82(e)(f) (2006)
defines personal information as:
(e) an individuals first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or the data
elements are not encrypted:
(1) Social security number.
(2) Drivers license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any
required security code, access code, or password that would permit access
to an individuals financial account.

(f)(1) For purposes of this section, personal information does not include
publicly available information that is lawfully made available to the general
public from federal, state, or local government records.
See also Flora J Garcia, Data Protection, Breach Notification, and the Interplay
Between State and Federal Law: The Experiments Need More Time (2007) 17
Fordham Intellectual Property Media and Entertainment Law Journal 693, 703.
28
Schwartz and Janger, above n 2, 932.
29
Ibid. Note that in California, notice may be either written or electronic.
30
Ibid, 941.
31
Cal Civil Code 1798.82(c) (2006).
32
Schwartz and Janger, above n 2, 943.
33
Ibid 943.
34
Cal Civil Code 1798.82(b) (2006).
35
Ibid 1798.82(d).
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 8
von Nessen have observed that the California law has a low triggering
threshold because notification is required simply when an organisation has
suffered, or believes it has suffered, an unauthorised acquisition of
unencrypted and computerised personal information
36
regardless of whether
the unauthorised person will go on to misuse it.
37
Thus, one of the most
striking objections to the California statute is that the requirement for
consumer notice is so loose that it produces an overabundance of data breach
disclosure letters, leading to what some critics have termed The Boy Who
Cried Wolf predicament.
38
The trouble, as illustrated by Aesops famous
fable, is that when people receive too many notices, they quickly learn to
ignore them, even in situations of real risk.
Schwartz and Janger have observed that the focal point of Californias data
breach notification scheme is to impose a reputational sanction
39
upon
businesses by ensuring that there is a maelstrom of publicity surrounding an
entity that suffers a breach.
40
And if this is, indeed, the primary purpose of
notification, then public recrimination is essential, as it enables consumers to
change their market behaviour in response to negative information.
41

However, if the goal of the legislation is simply to enable affected customers
to take steps to mitigate their losses in the aftermath of a breach, then
identifying the source, or target, is far less essential.
42
Also, notification might
needlessly frighten consumers where little or no harm exists; or, conversely, if
notification in non-threatening situations becomes commonplace, it can lead
to a reduction in effectiveness by encouraging consumers to not react.
43

The California model may also perversely encourage organisations to cover
up their mistakes and refuse to notify customers, or to inadequately respond
to breaches for fear of triggering their disclosure obligation, due to the threat
of economic and reputational sanctions. Moreover, it provides no mechanism
for regulators, and other organisations, to gain valuable knowledge of data
security failures, and thereby learn from those experiences.
44
Also, the
California data breach notification scheme assumes that consumers will rely
on reputational information to punish those entities with poor security
practices by taking their business elsewhere.

36
Burdon, Lane and von Nessen, above n 9, 117.
37
Schwartz and Janger, above n 2, 938.
38
Ibid 916.
39
Ibid 917.
40
Ibid 936.
41
Ibid 937.
42
Ibid.
43
Ibid 939.
44
Ibid 944.
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 9
Yet these assumptions about consumer behaviour are overly optimistic (we
know, for example, that customers continued to shop at T J Maxx after the
store suffered a massive data breach event),
45
particularly if we take into
account the consumer fatigue that can result from the glut of data breach
notification letters arriving in ones mail.
46
The Ponemon Institute surveyed
9154 consumers who received some form notification about a data breach
incident and apparently more than 39 per cent of these people thought that
the notices were little more than junk mail or marketing-related.
47
In addition,
48 per cent said that the notice was confusing, or misleading, and over 49 per
cent said that it did not provide them with enough detailed information.
48

There is also considerable effort involved in switching services providers and
a lack of transparent data that would enable a consumer to objectively
evaluate the data security practices of institutions within the same industry
sector, such as determining whether better information security is being
offered at the Commonwealth Bank or the National Australia Bank.
Furthermore, if the target of the breach is an outsourcing entity, a consumer
cannot choose to stop doing business with the company that handles
payments, provides insurance, stores, or transports data for a third party.
49

As previously mentioned, Californias data breach notification statute also
contains a notification exemption for encrypted
50
information.
51
Thus, if an
organisation mishandles encrypted personal information, it does not have to
notify anyone.
52
The reasoning is to encourage public and private sector
entities to adopt encryption technologies to safeguard against the risk of data
breaches, and to reduce the regulatory compliance load upon businesses, as
well as to ensure that consumers are not overburdened by data breach

45
Larry Greenemeier, The TJX Effect: Details of the Largest Breach of Customer Data are
Starting to Come to Light (11 August 2007) InformationWeek
<http://www.informationweek.com/the-tjx-effect/201400171>; Jacob W
Schneider, Preventing Data Breaches (2009) 15 Boston University Journal of Science
and Technology Law 279.
46
Schwartz and Janger, above n 2, 946. Note that this issue is explored in further
detail above.
47
Ponemon Institute, National Survey on Data Security Breach Notification (26
September 2005) White & Case, 3
<http://www.whitecase.com/files/FileControl/863d572d-cde3-4e33-903c-
37eaba537060/7483b893-e478-44a4-8fed-
f49aa917d8cf/Presentation/File/Security_Breach_Survey%5B1%5D.pdf>.
48
Ibid.
49
Schwartz and Janger, above n 2, 947.
50
Wenbo Mao, Modern Cryptography: Theory and Practice (Prentice Hall, 2004) 24.
Encryption involves the transformation of digital information from plaintext to
ciphertext so that it is unintelligible to anyone without the correct decryption key.
51
Cal Civil Code 1798.82(e)(f) (2006).
52
Mark Burdon, Jason Reid and Rouhshi Low, Encryption Safe Harbours and Data
Breach Notification Laws (2010) 26(5) Computer Law & Security Review 520.
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 10
notification letters and the like.
53
On the face of it, the use of encryption
software seems to be extremely valuable to organisations seeking to
safeguard personal information, in that it is likely to mitigate harm, while
increasing overall safety.
Proponents maintain that excluding encrypted data from notification
encourages regulated entities to adopt these technologies and keep them up
to date.
54
Moreover, the costs of encryption are far lower than the expenses
associated with data breaches.
55
However, opponents have raised alarm bells
about the inherent weakness of these technologies.
56
The fundamental
obstacle is that a number of data security breach scenarios do not necessitate
notification, regardless of whether a risk of harm exists.
57
In other words,
some encryption clauses, like the one contained in Californias data breach
notification statute, can create an unacceptable loophole because any type of
encrypted information, regardless of how secure it is, will be exempt from
notification following a breach.
58

Notwithstanding these shortcomings, over twenty-one state legislatures in the
US jumped on the data breach notification bandwagon and passed new laws
that year. To date, forty-seven states, the District of Columbia and two
territories, including Puerto Rico and the Virgin Islands, have enacted data
breach notification laws and twenty-three of these are modelled after the
California law.
59
As with respect to other public policy issues, the individual
states have designed their data breach notification statutes in accordance with
their unique values and interests.
60
This means that if a data breach involves
customers in more than one state, affected businesses need to expend a great
deal of time and effort ensuring that they understand the laws of each

53
Ibid 2.
54
Sean C Honeywell, Note, Data Security and Data Breach Notification for Financial
Institutions (2006) 10 North Carolina Banking Institute 269, 296.
55
Michael E Jones, Data Breaches: Recent Developments in the Public and Private
Sectors (2007) 3(3) I/S: Journal of Law and Policy for the Information Society 555, 564.
According to Avivah Litan, the Vice President of Gartner Inc, who testified at a
congressional hearing on this issue, encryption is estimated to cost roughly US$5
per user during the first year and US$1 for each account in subsequent years.
56
Honeywell, above n 54, 296.
57
Ibid. Another problem is that the states use different terms to determine what
constitutes effective encryption standards. And, moreover, some are so broad and
poorly defined, such as Maines definition of encryption based on generally
accepted practices that they are ineffective.
58
Burdon, Reid and Low, above n 52, 14.
59
Burdon, Lane and von Nessen, above n 9, 117; Schwartz and Janger, above n 2, 925.
60
Sara A Needles, The Data Game: Learning to Love the State-Based Approach to
Data Breach Notification Law (2010) 88 North Carolina Law Review 267, 280.
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 11
applicable state, and how/when they need to comply with them, because
some states may require notification, while others may not.
61

There are also a number of companies in the US that collect information about
individuals from both public and non-public records, and they must abide by
industry-specific soft management process standards.
62
Financial
institutions, for example, as well as their outsourcing entities that access or
use customer information, are required to comply with Title V of the Gramm-
Leach-Bliley Act (GLBA) which was enacted in 1999.
63
Its purpose is to
facilitate information sharing among financial institutions in order to
safeguard customers rights.
64

If a financial institution opens a new account for a customer, it must provide
the individual with the following information (and from an annual basis from
then on) according to the GLBA: the personal information it collects; how it
intends to use the personal information; and how the individual can opt out
of those future uses.
65
United States financial institutions must also conduct
periodic risk assessments; develop data security procedures for managing
risk; use disclosure and other safeguards when security systems fail; and
penalise employees who do not abide by the data security measures in place.
These standards reflect a risk-management approach as they require financial
institutions to implement appropriate standards and processes to deal with
information security issues and concerns within their organisations.
66

Similarly, the Health Insurance Portability and Accountability Act (HIPAA)
covers a variety of healthcare-related entities and their business associates
including: medical practitioners; nursing homes; pharmacies (if they transmit
electronic data); HMOs and health insurance companies; and third party
service providers, which must notify affected individuals following a breach
of health data, regardless of whether or not they own it, within 60 days of the
breach.
67
Reporting obligations vary depending on the scope and scale of the
breach; however, if the number of affected individuals exceeds 500, the entity

61
Tom, above n 12, 1571.
62
Jane K Winn, Technical Standards as Data Protection Regulation in Gutwirth, et al
(eds), Reinventing Data Protection? (Springer, 2009) 202.
63
Gramm-Leach-Bliley Act of 1999, 15 USC 6801, 6805 (2000).
64
Needles, above n 60, 294.
65
Winn, above n 62, 202.
66
Ibid.
67
The Health Information Technology for Economic and Clinical Health Act (HITECH Act)
was passed as part of economic stimulus legislation and amended the Health
Insurance Portability and Accountability Act of 1996 (HIPAA): American Recovery and
Reinvestment Act of 2009, Pub L No 111-5, 13421, 123 Stat 115, 276 (codified at 42
USC 17951).
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 12
must notify prominent media outlets as well as the Secretary of Health and
Human Services (HSS), who will publish the breach on the HSS website.
68

There has also been recent discussion in the US about the advantages of
having a federal data reporting law that would apply nationally as, for
businesses involved in interstate commerce, the state system is a complex and
convoluted regulatory nightmare; they must always keep informed about
amendments to the state laws that might impact their policies and practices.
69

For that reason, on 21 June 2012, Republican Senator Pat Toomey introduced
the Data Security and Breach Notification Act of 2012.
70
The Bill was referred to
Committee on that same day and did not proceed further.
It is noteworthy that, as with the state data breach notification laws discussed
above, the focus of the federal Bill was on notification in the aftermath of a
breach and not on implementing effective security measures that might
prevent the incident from occurring in the first place. Only eight states impose
a substantive duty upon organisations to take steps to protect data, such as by
providing reasonable security procedures and practices.
71
Moreover, it is
evident from the foregoing that the US model is excessively piecemeal in its
approach. Moreover, the broad scope of many data breach notification
statutes in the US, particularly with respect to the setting of a low triggering
threshold has rendered the notice ineffective or even meaningless.
72

1.2 The European Union
The EU has adopted a harmonised regulatory model for the protection of
electronic data. Directive 2002/58/EC,
73
also known as the ePrivacy Directive
applies to all member states of the EU
74
On 6 May 2009, the European
Parliament voted to adopt the ePrivacy Directive, following an agreement
struck between the European Parliament and the Council of Europe on its
text. The Council of Europe formally adopted the Directive on October 26,

68
Ariane Siegel et al, Survey of Privacy Law Developments in 2009: United States,
Canada and the European Union (2009) 56 Business Law 285, 286.
69
Tom, above n 12, 1570.
70
Data Security and Breach Notification Act of 2012 (s 3333); 112
th
Congress, 2d Session
(Data Breach Act).
71
Schwartz and Janger, above n 2, 925. Note these states include Arkansas,
California, Nevada, North Carolina, Rhode Island, Texas and Utah.
72
Fred H Cate, Information Security Breaches and the Threat to Consumers (September
2005) The Center for Information Policy Leadership at Hunton & Williams LLP
<http://www.fredhcate.com/Publications/Information_Security_Breaches.pdf>.
73
Note that a Directive is a legislative act of the European Union which requires all
EU member states to implement laws to achieve the stated result.
74
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
concerning the processing of personal data and the protection of privacy in the electronic
communications sector [2002] OJ L 201/37 (Directive on privacy and electronic
communications).
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 13
2009 and its member states had to bring their national laws into conformity by
25 May 2011.
75

The scope of the Directive is narrower than that which applies across the US
states, in that the provisions only apply to organisations in the electronic
communications sector. The 2002 version of the ePrivacy Directive was amended
and supplemented in December 2009 by the so-called Citizens Rights
Directive which sets out obligations for ISPs and telecommunications service
providers to notify affected individuals and/or authorities of security
breaches that compromise personal information.
76
This amendment
established the first mandatory data breach security disclosure regime for the
EU and it is likely that it will be the foundation for a broader security breach
disclosure framework that will apply more broadly to other holders of
personal information throughout the EU
77

On 7 February 2013, the European Commission made a proposed new Cyber-
Security Directive public, in which it plans to expand the data security and
system breach notice obligations to thousands of companies in designated
critical sectors of the EU.
78
In addition, the European Commission has
already proposed a new data protection regulation that would expand the
data breach notice requirements already in place for telecommunications
service providers under the 2009 amendments to other types of
organisations.
79


75
Rosa Barcelo and Peter Traung, The Emerging European Union Security Breach
Legal Framework: The 2005//58 ePrivacy Directive and Beyond in Gutwirth et al,
(eds), Reinventing Data Protection? (Springer, 2009) 80.
76
Directive 2009/136/EC of the European Parliament and of the Council of 25 November
2009 amending Directive 2002/22/EC on universal service and users rights relating to
electronic communications networks and services, Directive 2002/58/EC concerning the
processing of personal data and the protection of privacy in the electronic communications
sector and Regulation (EC) No 2006/2004 on cooperation between national authorities
responsible for the enforcement of consumer protection laws [2009] OJ L 337/11. See also
Barcelo and Traung, ibid 77.
77
Francoise Gilbert, Coming Soon to the European Union: Security Breach Disclosure
Requirements (2013) Global Privacy Book
<http://www.globalprivacybook.com/blog-european-union/295-coming-soon-to-
the-european-union-security-breach-disclosure-requirements>. On 6 May 2009, the
European Commission (with the support of the European Parliament and Council
of Europe) committed itself to begin working on a proposal for a general data
breach notification law applicable to all entities holding personal data.
78
Stephen Gardner and Jabeen Bhatti, EC Proposes Expanding Security, Breach Notice
Obligations to EU Critical Sectors (19 February 2013) Global Law Watch
<http://www.globallawwatch.com/2013/02/ec-proposes-expanding-security-
breach-notice-obligations-to-eu-critical-sectors/>. Note, though that this reporting
requirement would not apply to breaches of personal data but to systemic cyber-
attacks that compromise data systems.
79
Ibid.
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 14
A small handful of individual EU member states, including Germany and
Spain, had already passed data breach notification type laws; however, the
2009 provisions, which apply broadly to all EU member states, override any
national regimes that were already in place.
80
This regulatory scheme stands
in stark contrast to the patchwork of regulatory initiatives implemented in the
US, which, as discussed above, is made up of a multitude of state and federal
regulations of different complexity, at various levels throughout the country.
81

The Directive also contains mechanisms for regulators to learn about data
security failures across the EU, which is an area in which the California data
breach notification statute (as well as a number of subsequent state initiatives)
falls glaringly short.
Pursuant to Article 2(h) of the ePrivacy Directive, a security breach must
concern personal data. Personal data is broadly defined in Article 2(a) as
any information relating to an identified or identifiable natural person
82
and
includes traffic data
83
to the extent that it relates to a person.
84
The provision
also contains a definition of a personal data breach which is very broadly
defined as it covers breaches of any personal data (ie the destruction,
disappearance, modification, unauthorised leak of or access to personal
information in any form) in connection with the provision of a public
electronic communications service.
85

The obligation to disclose security breaches has two distinct features.
86
First, it
includes a blanket duty to notify a national authority about a personal data
breach.
87
This means that each personal data breach, as defined in Article 2(h)
must be notified to the authorities, without exception.
88
In some member
states this will be the data protection authority, whereas in others it will be

80
Barcelo and Traung, above n 75, 79.
81
Ibid.
82
Article 2(a) continues: in particular by reference to an identification number or to
one or more factors specific to his physical, physiological, mental, economic,
cultural, or social identity.
83
Generally speaking, traffic data includes any data relating to the transmission of a
communication, indicating its source, destination, pathway, time/date, size, or
type of service. This includes data about an email (ie in a draft box, an inbox, or
in transit), the source, destination, size, heading, as well as the URLs visited, time
spent online, and requests made to search engines for data and downloads.
84
Barcelo and Traung, above n 75, 89.
85
Article 2(h): a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorized disclosure , of or access to, personal data transmitted,
stored, or otherwise processed in connection with the provision of a publicly
available electronic communications service in the Community.
86
Barcelo and Traung, above n 75, 81.
87
Article 4(3).
88
Barcelo and Traung, above n 75, 91.
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 15
the relevant telecommunications regulator.
89
This means that all breaches,
regardless of their actual or potential to cause harm must be disclosed to the
competent regulatory authority.
90
The notification to competent authorities
must explain the outcome of the breach and the steps taken by the service
provider to correct it.
91
The authorities can also issue their own guidance and
instructions on the different aspects of breach notification, including
circumstances, format and method/manner.
92
This broad-based obligation to
notify the relevant regulatory authority is likely to generate more accurate
and up-to-date statistics about the scope and scale data breaches across the
EU. Hopefully, this will enable policymakers to better understand the
problem and implement further initiatives at the inter-state level to deal with
it.
Second, in cases where the breach is likely to adversely affect the personal
data or privacy of a subscriber or individual, the covered entity must notify
the affected entity without delay.
93
Notification to subscribers must explain
the breach, provide information about how to get in touch with the service
provider and recommend steps to reduce the harms suffered by the breach.
94

This provision is intended to ensure that consumers are notified about the
potential risks they face in light of the breach and provide them with an
opportunity to mitigate those threats, such as modifying passwords and
closing their accounts.
95
This is the fundamental policy rationale
underpinning the ePrivacy Directive.
96
Barcelo and Traung have observed,
though, that citizens expectations for harm protection are not met by the
revised ePrivacy Directive, as it currently stands, because [f]rom a user
perspective, it does not matter whether personal data are lost by a provider of
communications services or by someone else.
97

The fact that individuals are only notified if the breach is likely to adversely
affect their privacy or personal information is meant to solve the problem of
over-notification and notification-fatigue, discussed above, without
significantly undercutting the citizens right to be informed.
98
This appears to

89
von Quathem, above n 23, 19.
90
Ibid 20.
91
Article 4(3)(5).
92
Article 4(3)(2).
93
von Quathem, above n 23, 19.
94
Article 4(3)(5).
95
Barcelo and Traung, above n 75, 81.
96
Recital 59 states the notification of security breaches reflects a general interest of
citizens in being informed of security failures which could result in their personal
data being lost or otherwise compromised, as well as of available or advisable
precautions that they could take in order to minimize the possible economic loss or
social harm that could result from such failures.
97
Barcelo and Traung, above n 75, 88.
98
Ibid 91.
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 16
address the problem raised by the California data breach notification model,
whereby the threat of reputational sanctions may encourage an organisation
to cover up a breach and not self-trigger its notification requirement.
However, regulatory authorities are entitled to conduct audits to determine
whether or not providers have fulfilled their reporting requirements and are
further able to impose sanctions in the event of non-compliance.
99
In addition,
they can also overrule a finding by a breached organisation of the decision
that there is no possibility of injurious effects.
100

The ePrivacy Directive also requires covered entities to take steps to safeguard
data so that access can only be gained by authorised persons for lawful
purposes, which includes putting a security policy in place with respect to the
processing of personal data, and safeguarding the data against inadvertent or
illicit destruction, loss, modification, access or leak.
101
Indeed, notification is
not required if the covered entity can show that it had the appropriate
defence mechanisms in place, such as those which would render data
unintelligible to anyone without authorisation to access it (and if those were
in use with respect to the compromised data at the time of the breach).
102
This
is essentially the codification of the encryption exemption discussed above,
which is designed to encourage organisations to adopt appropriate post-hoc
security measures. Covered entities must also keep a record of all breaches,
which must include: the specifics of the breach; the outcome; any corrective
measures taken; and any other pertinent data demonstrating compliance with
the breach notification requirement.
103

The requirement for covered entities to implement robust security measures
to safeguard against data security breaches is clearly meant to encourage
service providers to invest in technological protection mechanisms to protect
the data and prevent breaches from occurring. The underlying rationale is
that they will augment their investment in security and implement internal
policies and procedures to better protect personal data.
104
Although the failure
of non-covered entities to adopt these measures on a voluntary basis suggests
the need for formal regulation,
105
the Carnegie Mellon study, discussed above,
in which the researchers found that similar kinds of data security breach
notification measures implemented in the US reduced data theft by merely 1.8
per cent overall, demonstrates how difficult it is to implement effective
enforcement mechanisms in this area. At the same time, though, the EU data
security breach framework strikes a reasonable balance between the
individuals right to be informed about breaches that may affect their

99
Article 4(4).
100
Article 4(3)(4).
101
Barcelo and Traung, above n 75, 83.
102
Article 4(3)(3).
103
Article 4(4).
104
Barcelo and Traung, above n 75, 83.
105
Winn, above n 62.
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 17
personal privacy and the obligations imposed on covered entities; and,
moreover, it is supported by rigorous enforcement mechanisms, which
provide authorities with investigation and sanction powers in the event of
non-compliance.
106

3 Mandatory Data Breach Notification Laws in Australia
Australia does not currently have mandatory data breach notification laws.
However, the Privacy Commissioner, who is part of the Office of the
Australian Information Commissioner (OAIC), encourages notification by
entities in accordance with the OAICs voluntary guidelines, entitled the
Guide to Handling Personal Information Security Breaches.
107
The goal of the
voluntary guidelines is to enhance security whilst encouraging and fostering
transparency about the privacy practices of Australian organisations. The
Australian Privacy Commissioner, Timothy Pilgrim, indicated that the
voluntary scheme has been successful, as witnessed by the fact that in 2011-
2012, the OAIC received 46 voluntary data breach notifications. In 2010-2011,
the OAIC received 56 voluntary data breach notifications.
108

Nevertheless, following the lead of the ALRC, the Federal Attorney General,
under the leadership of the now-defunct Gillard Government, released a
discussion paper in October of 2012 seeking comment from stakeholders on
whether to introduce new laws to make the notification of data breaches
mandatory at the federal level.
109
This proposal focused on amendments to
the Privacy Act (Cth) 1988 as a means to implement data breach notification
laws across Australia. While there are obligations in the Privacy Act to keep
personal information secure from mishandling and illegal access, there is no
requirement for agencies and organisations to notify individuals, regulators
or law enforcement agents about data breaches.
110
This means that while
covered entities are obligated to minimise the likelihood that personal
information within their possession could be compromised, they are not

106
Barcelo and Traung, above n 75, 104.
107
Office of the Australian Information Commissioner, Guide to Handling Personal
Information Security Breaches (2008) <http://www.oaic.gov.au/privacy/privacy-
resources/privacy-guides/data-breach-notification-a-guide-to-handling-personal-
information-security-breaches>. The guidelines were intended to help
organisations respond effectively to an information security breach and to identify
those situations when notification is appropriate.
108
Office of the Australian Information Commissioner, Annual Report 2011-12, Message
from the Privacy Commissioner, Timothy Pilgrim <http://www.oaic.gov.au/about-
us/corporate-information/annual-reports/oaic-annual-report-201112/message-
from-the-privacy-commissioner-timothy-pilgrim>.
109
Minter Ellison Alert, Federal Government Now Looks at Mandatory Data Breach
Notification (19 October 2012) Minter Ellison
<http://www.minterellison.com/publications/federal-government-now-looks-at-
mandatory-data-breach-notification/>.
110
Information Privacy Principle 4 and National Privacy Principle.
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 18
required to notify any individual or agency in the event of an actual security
breach.
111

Following an extensive period of government inquiry, recommendation and
reporting on this issue, the Gillard Government introduced mandatory data
breach notification laws at the end of May 2013.
112
If passed, the Bill would
have amended the Privacy Act to introduce a new mandatory data breach
notification system for Australian Privacy Principle (APP) Entities
113
which
include public sector agencies, private sector organisations (other than small
business), credit reporting bodies and credit providers.
114
The mandatory data
breach notification scheme put forward by the Gillard Government earlier
this year replicated much of what the ALRC advocated in its 2008 discussion
paper, including that the trigger for notification should be where the breached
entity believes that a breach may give rise to a real risk of serious harm to
any affected individual.
115
Indeed, the threshold for notification under the Bill
was based on a reasonable belief by the entity that the data breach is a serious
data breach which means that it is significant enough to pose a real risk of
serious harm to affected individuals.
However, the Bill was not clear on the meaning of serious harm other than
to note that it includes harm to reputation, economic harm and financial
harm, as long as the risk is not remote.
116
In the end, it will be up to the
breached entities themselves to assess each violation on a case-by-case basis to
determine whether the circumstances of the breach give rise to a reasonable
belief that affected individuals face a real risk of serious harm. This may mean
that affected companies have to provide notice to an extremely wide class of
individuals, who might then want to seek compensation through a class
action.
117
For that reason, breached entities may fail to self-trigger their

111
Commonwealth of Australia, above n 4.
112
Privacy Amendment (Privacy Alerts) Bill 2013 (Cth). Just prior to this, in early May
2013, the Australian Attorney Generals Department circulated a confidential draft
exposure bill, which would force organisations to notify the Australian
Information Commissioner, affected consumers and occasionally the media when
data breaches occur.
113
Office of the Australian Information Commissioner, Privacy business resource 2:
Privacy Act reforms Checklist for APP entities (organisations)
<http://www.oaic.gov.au/privacy/privacy-resources/privacy-business-
resources/privacy-business-resource-2-privacy-act-reforms-checklist-for-app-
entities-organisations>.
114
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) passed
through the Australian Parliament on 29 November 2012 and received royal assent
on 12 December 2012. The reforms commence on Wednesday 12 March 2014. See:
<http://www.oaic.gov.au/publications/FAQs/privacy_law_reform_faqs.html>.
115
ALRC, above n 7.
116
Sections 26ZE and 26ZF.
117
Allie Coyne, Data breach laws to drive class actions: IAA (4 June 2013) SC Magazine
<http://www.scmagazine.com.au/News/345501,data-breach-laws-to-drive-class-
actions-iia.aspx>.
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 19
notification requirement and cover up breaches due to the threat of
reputational harm, as discussed in Part I above.
Under the proposed Bill, an organisation would have been required to notify
the Australian Information Commissioner in the event of a serious breach,
outlining among other things, the details of the serious breach; the
compromised information; and any remedial steps that victims should take.
The Bill also required the breached entity to notify each affected individual as
soon as practicable with the following information: the identity and contact
details of the breached entity; a description of the data breach; the kinds of
information concerned; recommendations about the steps that individuals
should take in response to the data breach; and any other information
specified in the regulations.
118
The breached entity must provide this
information directly, or take reasonable steps to notify the individual, or, if this
is not possible, publish a copy of the statement on its website and in each state
via newspaper publication.
119

These notification requirements are problematic, however, for the same
reasons discussed above with respect to the California data breach
notification model. The broad scope of the term serious harm gives rise to
the possibility that organisations will over-notify (particularly if they fear
recrimination by the OAIC) thus leading to notification fatigue, and other
related problems discussed earlier. Moreover, reputational sanctions, by
themselves, have been shown to be ineffective because individual consumers
are generally reluctant to act with their feet and leave a breached
organisation, or are not equipped to do so for a variety of reasons, as set out
in Part I.
The Australian Information Commissioner could also exempt organisations
from having to publicly report data breaches if it is deemed to be in the public
interest, such as where doing so would impede a law enforcement
investigation.
120
The Bill also enabled the Australian Information
Commissioner to direct an entity to notify affected individuals if they have
not done so. A failure to comply with the notification requirement further
triggers the Commissioners enforcement powers, including the power to
award compensation and civil penalties for serious or repeated infractions.
121

At first glance, the requirement of notification to the Australian Information
Commissioner appears to get around the problem of non-reporting that the
fear of reputational sanctions can give rise to, as discussed above. However,
this is unfortunately not the case because the proposed law would not have

118
Section 26ZB(2).
119
Section 26ZB.
120
Section 26ZB
121
Pursuant to the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013
(Cth), offenders could face fines up to $22,000 for individuals and $110,000 for
organisations. Repeat and serious offenders would have faced financial penalties of
up to $220,000 for individuals or $1.1 million for organisations.
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 20
applied to the bulk of private sector companies in Australia (as it only applied
to APP Entities) and, moreover, not all data breaches were required to be
notified to the Commissioner, rather only those where the risk is not remote.
These issues would need to be re-examined before data breach notification
laws could be effectively implemented in Australia.
4 Achieving Enhanced Regulation and Data Protection
There is a close nexus between the failure to safeguard personal information,
and the occurrence of data security breaches, and this is measurable in terms
of economic harm, or financial liability.
122
Indeed, the primary goal of data
breach notification law is to minimise the pecuniary loses that emanate from
unauthorised access to personal information, particularly in the context of
identity theft. This is the primary goal of the reputational sanctions that
underlie breach notification statutes: through negative publicity, an
organisation can be compelled to change its information security practices,
resulting in fewer breaches, and therefore less cost to individual and
organisational victims.
However, it is short-sighted to rely on notice alone to protect against the
problems that flow from data security breaches. Without doubt, the real
concern is not with notification, by itself, but with unsuccessful data security
practices within organisations. From this perspective, data breach notification
laws that dont incorporate information security and risk assessment
procedures are not likely to achieve long-term success because they provide
few incentives to encourage full disclosure and regulatory compliance over
time.
123
While notification might be a useful way to gain a better
understanding of the scope and scale of the problem, as well as to give
customers more control over their personal information and encourage
organisations to boost their network security, it is not going to prevent data
breaches from occurring over time.
124


122
Needles, above n 60, 281. Such as with respect to lost revenue, share devaluation,
as well as notification and remediation costs.
123
Jane K Winn, Are Better Security Breach Notification Laws Possible? (2009)
Berkley Technology Law Journal 1133, 1159.
124
Note that this sentiment was expressed by various law enforcement officials in
Australia when they were asked, as part of a study into the anticipated outcome
and effectiveness of the implementation of mandatory data breach notification
laws in that country. One participant responded: The thing you have to remember
about breach notification is that its not a solution ... Breach notification is exposing
the problem that doesnt assume we have solutions for those problems. Another
participant remarked: Mandatory disclosure is a too simplistic response to a
complex set of circumstances ... it pretends that the problem is simple and the
solutions are simple and it isnt. See Bill Lane, Mark Burdon, Evonne Miller and
Paul von Nessen, Stakeholder Perspectives Regarding the Mandatory Notification
of Australian Data Breaches, (2010) 15(2) Media and Arts Law Review 149, 158.
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 21
Moreover, the traditional model of data breach notification laws, discussed
above, fails to differentiate between organisations that implement good
quality information security practices in the long-term, and those that
demonstrate a wonton and reckless disregard for the personal information
they are responsible for protecting.
125
What is needed is a processed-based
model that combines corporate accountability and the implementation of
effective technical and non-technical organisational practices.
126
More
collaborative forms of regulation can be expected to reduce the need for
punitive measures, as well as decrease the cost of public enforcement
(particularly when non-compliance within organisations is difficult to detect
and easy to cover up).
127

The process-oriented approach to regulation has become the instrument of
choice for managing risk in publicly traded companies, as well as banks, in
the US.
128
Organisations in a multiplicity of different industry sectors are now
required by law to abide by industry-specific soft management process
standards, such as the GLBA, discussed above, and establish risk-assessment
and information security schemes to protect information.
129
Since risk itself is
highly context-specific, and plays out differently across a range of diverse
industry sectors, the choice of security measures and technology
implemented can depend upon the type of organisation, in terms of its size,
its sophistication/complexity, the type and scope of its business activities, as
well as the nature and quality of the data protected.
130

A risk-based approach uses less coercive forms of regulation and emphasises
self-regulatory initiatives wherever possible.
131
It allows for mitigation
objectives to be determined internally, on an individual basis, according to
the idiosyncratic threats faced by the organisation at the relevant time period,
as well as the costs of responding to them.
132
The goal is to simply set
reasonable standards for information security, and leave it up to the
regulated entities to develop their own security processes, rather than
stipulating the measures that must be adopted, or the outcomes that must be
achieved.
133
Ultimately, this leaves regulated firms with the task of setting

125
Winn, above n 123, 1159.
126
Regan, above n 19, 1114.
127
Winn, above n 62, 201.
128
Kenneth A Bamberger, Technologies of Compliance: Risk and Regulation in a
Digital Age (2010) 88(4) Texas Law Review 669, 672, 680.
129
Ibid 680.
130
Ibid 673.
131
Winn, above n 62, 201.
132
Thomas J Smedinghoff, The State of Information Security Law: A Focus on the Key
Legal Trends (May 2008) SSRN 17 <http://ssrn.com/abstract=1114246>; DOI:
<http://dx.doi.org/10.2139/ssrn.1114246>.
133
Bamberger, above n 128, 673. Bamberger contrasts this approach with the one
largely adopted by environmental regulators.
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 22
appropriate standards, and it enables them to review, rework and revise their
own risk-reduction goals independently, particularly as technology
progresses.
134

Along these lines, the regulator can identify best practices for safeguarding
against data security breaches, which might include keeping up to date with
evolving industry standards and procedures, network intrusion
identification, encryption, firewalls, and the like, as well as risk management,
auditing, and employee background checks. The regulator could also require
the development of reasonable physical, administrative and technical security
procedures and practices (preferably, in writing) to manage and offset these
risks (as well as to achieve objectives, such as guaranteeing the availability of
systems and data, preventing unlawful or accidental destruction,
modification, loss or leak of information and ensuring the confidentiality,
reliability and safety of information).
135
The periodic monitoring and testing
of these mechanisms, including making adjustments and implementing
updates, when necessary, is also important. As such, undertaking
independent audits of physical and technical security, both internally and by
independent third-party professionals, where applicable, and reporting, as
well as incident tracking, might also be required.
For their part, organisations can identify key information assets (including
communications and processes, as well as information systems) and
implement risk assessments to identify (internal and external) vulnerabilities
and risks. In addition, they can assess the likelihood that each threat will
occur and evaluate the potential harms that might arise. Organisations can
further prevent employee mistake or misconduct, including outright fraud, by
controlling access to particular types of workers, or certain kinds of data.
They can also audit for compliance and monitor, in real time, for threats to
network security, whilst flagging suspicious activity.
136
Along these same
lines, the training and education of employees about the threats or
vulnerabilities the organisation faces, as well as the security program and

134
Smedinghoff, above n 132, 18.
135
Note that this can include a range of considerations, such as: determining the
appropriate measures to safeguard against destruction, loss or damage to
information due to environmental hazards or technological breakdown; access
restrictions to buildings and facilities; technical access controls to prevent
unauthorised access to information systems and data; intrusion detection systems
to monitor attempted intrusions and break-ins, both in the physical and virtual
sense; employee monitoring and detection mechanisms, such as background
checks, and controls to prevent unauthorised access, particularly after the
termination of employment; the development of an effective incident-response
plan, in the event that a security breach is suspected, including backup data plans,
disaster management, data recovery procedures and containment; system security,
as well as data security, confidentiality and storage, not only on-site, but also in
terms of off-shore storage, processing, and destruction of data and/or hardware,
especially where third-party contractors are involved, or where cloud-storage is
used: Smedinghoff, ibid 24-25.
136
Bamberger, above n 128, 686, 715.
Does Australia Really Need Mandatory Data Breach Notification Laws?

EAP 23
incident response plan (including developing education tools/techniques;
effectively screening and monitoring employees, as well as imposing
sanctions, when necessary) is critical.
5 Conclusion
Mandatory data breach notification laws brought much-needed attention to
areas of concern that were previously unknown, particularly organisational
inadequacies regarding the security of personal information, and led to
innovative organisational practices and regulatory initiatives. This is
important given that there is little or no incentive for private and public
organisations to report data breach information on their own, particularly
given the fear of reputational sanctions.
137
Yet, data breach notification laws
can also bring publicity to breaches that are relatively minor, and not likely to
have a significant impact given the low risk of identity theft, which can
unnecessarily lead to costly legal action or regulatory enquiry.
138

Corporate obligations regarding security originate from many sources,
including common laws, statutes and regulations, contracts and industry
standards, and they cover a wide range of data types, not just personal
information.
139
In addition to these obligations, we have witnessed a global
trend toward the enactment of laws and regulations that impose a duty to
disclose data security breaches. Many countries, including Australia, are
currently implementing this scheme to address the problem of identity theft.
Data breach notification laws can be beneficial for Australians, but only if
they are implemented in a manner that seeks both to reduce harm from
breaches and augment data security to stop breaches from occurring. They
must also be implemented in conjunction with other regulatory initiatives
designed to increase voluntary compliance and self-regulation, as well as
investigation and independent oversight functions, such as through periodic
security audits.
140

Data breach notification laws can play an important role in transforming
business practices and increasing consumer awareness through increased
media coverage and post-hoc measures. This can have an impact upon the way
that an individual employee thinks about his or her role in managing data on
a day-to-day basis. For example, if he or she recognises that a breach can
result in the loss of individual social security numbers, with the potential for
significant corporate liability in terms of lost revenues and negative publicity,

137
Garcia, above n 27, 693.
138
Schwartz and Janger, above n 2, 928.
139
Smedinghoff, above n 132, 1.
140
Winn, above n 123, 1160.
Journal of Law, Information and Science Vol 22(2) 2012-2013

EAP 24
this can have a direct impact on how the employee treats consumers personal
information.
141

Thus, the potential for public recrimination triggered by notification can
strengthen awareness of sound data security practices within organisations.
Mandatory data breach notification laws can therefore be effective at fostering
good data security awareness, as well as increasing transparency and
accountability with respect to information security practices, both to avoid
brand tarnishing issues and to achieve a competitive advantage.
142
However,
reliance upon a single form of regulation is not likely to be effective at
achieving modern policy goals in todays complex global information society.
More pragmatic and functional regulatory mechanisms in this area should
rely on the enhancement of sound business practices and IT security measures
that could lead to a reduction in costly breaches over time.

141
Kenneth Bamberger and Deirdre Mulligan, Privacy on the Books and on the
Ground (2011) 63 Stanford Law Review 247, 276.
142
Ibid 293.