When it comes to privacy, Australians are left to choose between garbage, trash or junk.
A strong advocate of the introduction of disclosure laws which force banks to notify customers of a security breach, Mogull says the Australian government needs to act by implementing legislation that includes penalties to ensure compliance.
Without these laws, says Mogull, customers cannot make an informed decision when seeking a financial services provider. He says breaches are occurring in Australia but it’s impossible to get meaningful statistical data that could provide some insight into the current IT security landscape.
“There is no legislative protection in Australia: just the National Privacy Principles [under the Privacy Act], which are not enforced. The current landscape in Australia is what it was like in the United States pre-2005, before the first breach notification law was introduced in California,” he says.
Mogull’s comments, delivered at Gartner’s IT security summit in Sydney earlier today, are part of a broader push for changes to the Privacy Act, currently being reviewed by the Australian Law Reform Commission.
The Commission is releasing a discussion paper next month recommending the introduction of security breach disclosure laws in Australia, with the final report to be delivered to federal Attorney General Philip Ruddock in March 2008.
The recommendation also has the support of Federal Privacy Commissioner Karen Curtis.
Mogull says disclosure laws in the U.S. have been the biggest single driver in improving the IT security landscape.
Under Californian law, if a specific combination of data is disclosed, then customers must be notified. That combination includes the customer’s first and last names, credit card and banking details, and social security number.
“The law was ignored for two years until the Choice Point breach; then the flood gates opened,” Mogull says. “Previously there was no external pressure to act. If an organization is losing customer data and it doesn’t affect the business, then there is no impact.
“The customer suffers, but the business doesn’t. There is a built-in market force to keep your mouth shut. Basically, market forces are working against privacy protection.”
Mogull says 40 states in the U.S. now have disclosure laws providing customers with a level playing field to make informed decisions.
“The IT security landscape here today has been reduced to a choice of garbage, trash or junk. But bad publicity about breaches can change that, it can force change,” he says.
“Australia isn’t any safer than the U.S. when it comes to data protection. I know breaches are occurring as I work with the financial services sector here, and I know what security programs the banks have in place.
“In fact, I think it is a much harsher environment here, especially when it comes to phishing and Australia’s proximity to Asian economies; it is just hidden more from consumers. There are no market forces pushing organizations to do better.”
Mogull says disclosure laws are a good starting point to improve the IT security landscape, because it would enable the collection of valuable data, and to understand how breaches occur. “With good stats, we can make good decisions,” he adds.
While Mogull believes the laws should include penalties, he says there should also be a built-in mechanism that allows consumers to take legal action themselves.
He admits organizations may need to increase budgets to be compliant. “If an organization is currently spending five per cent of their budget on security, they may have to bump that up to seven per cent; but this usually involves a shifting of funds rather than new money,” Mogull says.
Australian Bankers Association CEO David Bell says banks already have a legal duty to protect customer data under a number of laws, without the introduction of data disclosure legislation.
He says confidentiality and privacy are at the core of customer relationships, adding it would be premature to comment on the introduction of data disclosure laws before the Commission’s final report was handed down next year.
“But we are certainly awaiting the outcome of the report as the ABA has made a submission to the Commission on the privacy review,” says Bell.