Addressing Cross-Border Data BreachesAussies' Notification Bill Tackles Data Transfers Out of Country
A provision in proposed breach notification legislation before Australia's parliament could deem the unauthorized transfer of data from Australia to another country a breach.
"We've seen the concept of cross-border data transfers mostly in Europe," privacy lawyer FranÃ§oise Gilbert says in an interview with Information Security Media Group [transcript below]. "Europe has been the most adamant at trying to curb the exodus of information outside of Europe without the proper measures. ... Australia is sort of following this trend and becoming much more serious about the cross-border data transfers."
Another key provision found in the proposed Australian law would allow a government official, most likely the information commissioner, to require an organization to notify its stakeholders of a data breach, even if the organization earlier ruled a disclosure was not necessary.
"[The official would] go to the company and say, 'I've heard that you've had a breach about this and that, and I think that this breach requires notification to the individuals,'" Gilbert says. "That's an interesting aspect where the commissioner is taking a much more proactive role."
In the interview, Gilbert:
- Provides an overview on the Australian breach legislation;
- Explains how the Australian legislation differs from laws enacted in the United States and Europe; and
- Discusses the challenges organizations face in complying with multiple, international data breach notification laws.
Gilbert, a founder of the IT Law Group, specializes in information technology, Internet, IT security and privacy law. She has taught technology and data protection law in the Graduate School of Health Information Science at the University of Illinois in Chicago since 1992, and has been a frequent guest speaker at John Marshall Law School in Chicago and at the Silicon Valley Center for Entrepreneurship at San Jose State University in California. Gilbert has earned law degrees in Chicago and Paris.
Australian Breach Legislation
ERIC CHABROW: Take a few moments to tell us about the new privacy legislation Australian lawmakers are considering in regards to breach notification?
FRANCOISE GILBERT: It's a bill that's somewhat familiar to many of the bills that we have seen in the past in the U.S. and in different countries. Basically, if there's a breach of security and there's a risk of serious harm to an individual, the entity who would have suffered the breach would have to notify the individual of that breach, as well as notify the Australian information privacy commissioner.
CHABROW: You're saying these are very similar to what we may see among the 46 state laws in the United States and what the European Union have?
GILBERT: Roughly that's the same concept. That's what has inspired this June bill.
Disclosures Outside of Australia
CHABROW: Is there anything unique about the Australian bill?
GILBERT: First of all, it's 17 pages. In that respect, it's a document that's well thought through and very detailed. In this respect, it's quite impressive. Another aspect is not only does it address the concept of breach of security in the same way as we've seen in the U.S. and elsewhere, but also it would make some disclosures of information outside of Australia ... a breach of security. Basically, if an Australian company had sent disclosed information about an individual to an overseas recipient in violation of the general privacy law of Australia, [it] would be deemed a breach of security and that would also require a notice.
CHABROW: Most other laws don't require that outside their own jurisdictions?
GILBERT: That is the first time I see a mixture of the traditional security breach combined with the notion of cross-border data transfers.
CHABROW: If I understand, most laws don't require that?
GILBERT: Most laws just talk about breach of security and that's it.
CHABROW: So they're not really explicit about who's to be notified?
GILBERT: Think of breach of security in basically two ways. Either you have unauthorized access to information; so you have a hacker or you have a disgruntled employee who has accessed information. So there's a clear intrusion into personal data. The other way that breaches of security are identified is because information has been lost. The classic person who forgets a laptop or the laptop is stolen in a taxi or in an airport - that's the typical definition of a breach of security.
Here, there's this additional concept of the disclosure of information to people outside of Australia. It's a nod, if you want, to the other issue that we've seen in many countries of the world related to the transfer of information outside of the country.
CHABROW: [Do] you think it's a good idea to have this kind of provision in the law?
GILBERT: Let's say that it's interesting. We've seen the concept of cross-border data transfers mostly in Europe, even though this is found in most of the data protection laws in the world. But Europe has been the most adamant at trying to curb the exodus of information outside of Europe without the proper measures. It's interesting to see that Australia is sort of following this trend and becoming much more serious about the cross-border data transfers.
Challenges Organizations Face
CHABROW: How much of a headache is this for businesses, as these new national laws or state laws of the United States are imposed, keeping abreast of them? Obviously, it keeps people like you busy.
GILBERT: You have different issues. One is to try to figure out what the law requires and when it applies. For example, the major headache in the U.S. is that we have different triggers among the 46 states. You have states that have followed the California model that only focuses on five or six types of data loss. If you lose a Social Security number, credit card number, some financial information or some healthcare information, it triggers the disclosure. On the other end, you have other states that have a list of 20 different categories of data that could be lost that triggers a disclosure.
When you have a company and you want to do the minimum amount of disclosure that you would be required by law, you're going to have to figure out whether, [for example], today I lost a mother's maiden name. I have to make a disclosure in this and that state, as opposed to tomorrow I lose a Social Security number and then I have to make a disclosure in every single state. You need to keep up to figure out what's the list of the day in each of the states. That's one major difference between the different laws in the states.
Another difference is what they define as the trigger, what kind of harm, and we have also some laws that only apply to electronic information and some other laws in other states that apply to both electronic and paper information. You need to have a big Excel spreadsheet to keep up with the differences between the different states.
In Australia, it's a law that focuses mostly on personal information. It does not define what kind of personal information needs to be lost. It's just if you have personal information, you lose it and it causes a real risk of serious harm to an individual, then that triggers the disclosures. Then there are a few special cases for credit-reporting bodies, credit providers and the loss of tax file numbers, which is the equivalent of our Social Security numbers.
Information Commissioner's Responsibilities
CHABROW: Anything else you would like to add?
GILBERT: There's one aspect that's interesting. The information commissioner would be given the right to direct an agency or a business to notify individuals. That means that if there's a breach that occurs and a company or an agency elects not to give notice because it has made its own assessment that it was not worth it and the information commissioner hears about the breach, the information commissioner can make a decision to initiate the disclosure. [He would] go to the company and say, "I've heard that you've had a breach about this and that, and I think that this breach requires notification to the individuals." That's an interesting aspect where the commissioner is taking a much more proactive role.
CHABROW: To be clear on this, is the commissioner ordering the company to comply, or is the commissioner doing it him or herself?
GILBERT: No. They would tell the company, "I know that you have had a breach. I think that this breach is a breach that causes a real risk of serious harm. Therefore, under the law, you should make a full disclosure."
CHABROW: Most laws in the United States and in Europe don't have that kind of requirement? It's up to the individual businesses to decide whether they're going to do notification?
GILBERT: I'm not aware of any law that has this requirement. Usually what we see is a commissioner - or, in the U.S., a state attorney general - who would be hearing about something happening through the press or through the blogs. Because of that, they would take the initiative of conducting an investigation, knocking at the door of the company and saying, "I've heard that you had a breach. Show me your security measures." The action of the regulator would be more on investigating whether the company has the proper information security measures.
Influence of National Legislatures
CHABROW: What influences do various national legislatures have on other nations?
GILBERT: It's clear that the legislatures copy each other all over the world. The security breach disclosure laws are one example where it started in California and then, [when] the rest of the states heard about this law, implemented them in their own states in the U.S. Then the rest of the world further heard of this law as well and started implementing them in their countries, and that's really a case where when you talk to anybody around the world who's implementing a security breach disclosure law, they always make reference to the California law and the U.S. initiative.