Privacy Down Under: ‘Garbage, trash or junk’

When it comes to privacy, Australians are left to choose between garbage, trash or junk.

That is how Gartner‘s vice-president of research, Rich Mogull, describes the current data privacy landscape in Australia.

A strong advocate of the introduction of disclosure laws which force banks to notify customers of a security breach, Mogull says the Australian government needs to act by implementing legislation that includes penalties to ensure compliance.

Without these laws, says Mogull, customers cannot make an informed decision when seeking a financial services provider. He says breaches are occurring in Australia but it’s impossible to get meaningful statistical data that could provide some insight into the current IT security landscape.

“There is no legislative protection in Australia: just the National Privacy Principles [under the Privacy Act], which are not enforced. The current landscape in Australia is what it was like in the United States pre-2005, before the first breach notification law was introduced in California,” he says.

Mogull’s comments, delivered at Gartner’s IT security summit in Sydney earlier today, are part of a broader push for changes to the Privacy Act, currently being reviewed by the Australian Law Reform Commission.

The Commission is releasing a discussion paper next month recommending the introduction of security breach disclosure laws in Australia, with the final report to be delivered to federal Attorney General Philip Ruddock in March 2008.

The recommendation also has the support of Federal Privacy Commissioner Karen Curtis.

Mogull says disclosure laws in the U.S. have been the biggest single driver in improving the IT security landscape.

Under Californian law, if a specific combination of data is disclosed, then customers must be notified. That combination includes the customer’s first and last names, credit card and banking details, and social security number.

“The law was ignored for two years until the Choice Point breach; then the flood gates opened,” Mogull says. “Previously there was no external pressure to act. If an organization is losing customer data and it doesn’t affect the business, then there is no impact.

“The customer suffers, but the business doesn’t. There is a built-in market force to keep your mouth shut. Basically, market forces are working against privacy protection.”

Mogull says 40 states in the U.S. now have disclosure laws providing customers with a level playing field to make informed decisions.

“The IT security landscape here today has been reduced to a choice of garbage, trash or junk. But bad publicity about breaches can change that, it can force change,” he says.

“Australia isn’t any safer than the U.S. when it comes to data protection. I know breaches are occurring as I work with the financial services sector here, and I know what security programs the banks have in place.

“In fact, I think it is a much harsher environment here, especially when it comes to phishing and Australia’s proximity to Asian economies; it is just hidden more from consumers. There are no market forces pushing organizations to do better.”

Mogull says disclosure laws are a good starting point to improve the IT security landscape, because it would enable the collection of valuable data, and to understand how breaches occur. “With good stats, we can make good decisions,” he adds.

While Mogull believes the laws should include penalties, he says there should also be a built-in mechanism that allows consumers to take legal action themselves.

He admits organizations may need to increase budgets to be compliant. “If an organization is currently spending five per cent of their budget on security, they may have to bump that up to seven per cent; but this usually involves a shifting of funds rather than new money,” Mogull says.

Australian Bankers Association CEO David Bell says banks already have a legal duty to protect customer data under a number of laws, without the introduction of data disclosure legislation.

He says confidentiality and privacy are at the core of customer relationships, adding it would be premature to comment on the introduction of data disclosure laws before the Commission’s final report was handed down next year.

“But we are certainly awaiting the outcome of the report as the ABA has made a submission to the Commission on the privacy review,” says Bell.

Related content:

U.K. data protection changes prompt warning

Justice report finds secretive FBI data mining widespread

The future of the Web, as seen by its creator

Eight security tips every CIO should know

Cyber-crime protection pushes new precedents for privacy

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now