Broadband Tech > Security > Security > Australia-compulsory reporting of online privacy breaches

Companies would be required to notify customers if the security of their personal information was compromised under proposals released for discussion by the Gillard government today.

Currently, organisations are encouraged to disclose data breaches to the Commonwealth Privacy Commissioner, but are not obliged to do so.

Attorney-General Nicola Roxon this morning released a discussion paper to seek comment on whether organisations should be required to report breaches, what kind of breaches should have to be reported, who should be notified, and what penalties should apply for failure to comply.

"Australians who transact online rightfully expect their personal information will be protected," Ms Roxon said.

"More personal information about Australians than ever before is held online, and several high-profile data breaches have shown that this information can be susceptible to hackers."

In April last year, hackers accessed the accounts of more than 100 million users of Sony's PlayStation Network and Qriocity entertainment services. Last December, the details of 800,000 Telstra customers were found on an unprotected website.

These breaches are in addition to the University of Sydney, ANZ, Westfield, tech giant Dell, South Australian government-owned medical company Medvet, gaming behemoth Valve, web host and domain name company Distribute.IT, First State Super, Computershare and Vodafone all exposing customers' personal information.

The release of the discussion paper comes more than four years after the Australian Law Reform Commission (ARLC) concluded a 28-month inquiry into the effectiveness of the Privacy Act, which recommended that government introduce mandatory data breach notification laws which force companies to reveal breaches.

It also comes after one of the world's most infamous computer hackers, Kevin Mitnick, told Fairfax Media in an article published in August this year that the Australian government's inaction on data breach laws meant scores of privacy disasters were going under the radar. "The only reason that [companies in the US] come forward [now] is because the laws now require it," Mitnick said.