Australia may be falling behind other countries in implementing data breach notification laws to require companies and government agencies to notify consumers when their personal information has been exposed or stolen. ZDNet Australia reported:
"Australia currently doesn't have any legislation to force companies to disclose breaches, even though it was recommended as part of the Law Commission's report on privacy, released in 2008."
The article summarized existing breach notification laws or pending legislation in several countries:
"Internet and telecommunications service providers in the UK are also already required to disclose when they have experienced a breach. However, the EU commissioner said last month that she wanted to extend this to all businesses... New Zealand doesn't have any breach notification laws... Canada has a Bill that is proceeding through parliament that will require businesses to disclose data breaches if they may result in a "real risk of significant harm". Until this is passed, its Federal Privacy Commissioner has issued guidelines for organisations to follow in the event of a breach, but these are voluntary."
According to the National Council of States Legislatures (NCSL), at October 2010 about 46 states in the USA plus Puerto Rico and the U.S. Virgin Islands have breach notification laws requiring notification when consumers' personal information is disclosed. The four states lacking breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota.
If you live in one of those four states without breach notification laws, you might want to ask your elected officials why.
The need for legislation in the USA is driven not just by data breach notifications but also to protect consumers' privacy. The Do Not Track opt-out setting for consumers is largely ignored by advertisers. Plus, ARS Technica reported:
"... the United States and Turkey are the only developed nations in the world without a comprehensive law protecting consumer privacy. European citizens have privacy rights, Asian citizens have privacy rights, Latin American citizens have privacy rights. In the US, however, in lieu of a comprehensive approach, we have a handful of inconsistent, sector-specific laws around particularly sensitive information like health and financial data..."
"... risk-averse lawyers have figured out that the best way to not violate [FTC guidelines] is to not make explicit privacy promises at all. For this reason, corporate privacy policies tend to be legalistic and vague, reserving rights to use, sell, or share your information while not really describing the company’s practices. Consumers who want to find out what’s happening to their information often cannot, since current law actually incentivizes companies not to make concrete disclosures."
Various legislation proposed in the U.S. Congress:
- The Data Breach And Security Act of 2011: re-introduced in June by U.S. Senators Mark Pryor (D-Arkansas) and John D. (Jay) Rockefeller IV (D-West Virginia) to require businesses and nonprofit organizations that store consumers’ personal information to put in place strong security features to safeguard sensitive data, alert consumers when this data has been breached, and provide breach victims with tools to protect their credit and finances.
- The Secure and Fortify Electronic Data Act (a/k/a the SAFE Data Act) introduced by Mary Bono Mack (R-California),Chairperson of the House Subcommittee on Commerce, Manufacturing, and Trade, to establish national standards for data security and breach notification.
- The Best Practices Act introduced by Bobby Rush (D-Illinois) in February 2011
- The Consumer Privacy Protection Act introduced by Cliff Stearns (R-Florida) in April 2011
- Do Not Track legislation introduced in the State of California Senate
I have not yet read the entire text of all four bills, and will do so once the content settles after revisions and consolidations.