Roger Clarke's Web-Site

© Xamax Consultancy Pty Ltd,  1995-2024
Photo of Roger Clarke

Roger Clarke's 'A Data Breach Notification Law'

Why you should oppose a data breach notification law

Version of 18 October 2012

OpEd Piece published in itNews on 19 October 2012

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2012

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at

Data breach notification was a good idea - a decade ago.

In 2003, California passed a Security Breach Notification Law, requiring that Californian consumers be notified when sensitive personal data about them is illegitimately obtained from a server or database.

By 2006, in the good old US tradition, a flurry of activity had resulted in 34 states having such laws.

Also in 2006, the then Australian Privacy Commissioner, no friend to privacy, was caught up in the enthusiasm, and announced that she was recommending that such a law be passed in Australia.

By 2012, in the good old Australian tradition, the ALRC had studied the question for 2 years, the government had cogitated for 4 years, and, just this week, the Attorney-General took decisive action (Hilvert, itNews, 18 October 2012), reporting on the the AG's announcement.

But don't get too excited, because the decisive action Roxon took was to release a Discussion Paper.

So the timetable looks like being 2014 for the draft Bill (assuming the Government is re-elected and the initiative doesn't get lost somewhere), 2015 for passage, 2016 for the law to come into force, and 2019 for the Privacy Commissioner to be embarrassed into stopping its established practice of just warning miscreants and actually starts imposing sanctions.

And what would we get out of it anyway?

All that data breach notification does is expose the fact that organisations are culpably cavalier with sensitive data, and fail to implement well-understood security safeguards.

But, um, we know that already.

So privacy advocates and security specialists alike are naturally *opposed* to mandatory data breach reporting.

The reason is that it's being used as an excuse to hold off what is now clearly necessary.

Dear Attorney-General, please get on with it, and submit a Bill to create a privacy right of action. Your predecessor published an Issues Paper a year ago, and privacy advocates welcomed it, and supported it.

And then please get to the real agenda. We need criminal offences on the statute books for serious and/or repeated failures to implement security safeguards commensurate with the sensitivity of the data.

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 18 October 2012 - Last Amended: 19 October 2012 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy