Australia's data privacy landscape called into question
- — 14 August, 2007 14:14
When it comes to privacy, bank customers in Australia are left to choose between garbage, trash or junk.
That is how Gartner's vice president of research, Rich Mogull, describes the current data privacy landscape in Australia.
A strong advocate of the introduction of disclosure laws which force banks to notify customers of a security breach, Mogull said the Australian government needs to act by implementing legislation that includes penalties to ensure compliance.
Without these laws, Mogull said customers cannot make an informed decision when seeking a financial services provider.
He said breaches are occurring in Australia but it is impossible to get meaningful statistical data that could provide some insight into the current IT security landscape.
"There is no legislative protection in Australia just the National Privacy Principles [under the Privacy Act] which are not enforced; the current landscape in Australia is what it was like in the United States pre-2005 before the first breach notification law was introduced in California," he said.
Mogull's comments delivered at Gartner's IT security summit in Sydney today are part of a broader push for changes to the Privacy Act currently being reviewed by the Australian Law Reform Commission (ALRC).
The ALRC is releasing a discussion paper next month recommending the introduction of security breach disclosure laws in Australia with the final report to be delivered to the federal Attorney General, Philip Ruddock in March, 2008.
The recommendation also has the support of the Federal Privacy Commissioner, Karen Curtis.
Mogull said disclosure laws in the US have been the biggest single driver in improving the IT security landscape. Under the Californian law, which he said is the first of its kind in the world, if a specific combination of data is disclosed then customers must be notified. That combination includes the customer's first and last name, along with credit card and banking details, and social security number. "The law was ignored for two years until the Choice Point breach then the flood gates opened," Mogull explained.
"Previously there was no external pressure to act. If an organization is losing customer data and it doesn't affect the business then there is no impact.
"The customer suffers but the business doesn't. There is a built-in market force to keep your mouth shut. Basically, market forces are working against privacy protection."