MyCRA Specialist Credit Repair Lawyers

Tag: mandatory data breach notification

  • Update on mandatory data breach notification laws

    mandatory data breach notificationThe long-awaited amendments to the Privacy Act 1988 making reporting of serious data breaches mandatory, has been passed in the House of Representatives and had its second reading in the Senate yesterday. We  cover what this Bill will mean if it is passed, and what it means for your credit file.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.

    If passed by both houses, the Privacy Amendment (Privacy Alerts) Bill 2013 will be implemented as part of amendments to the Privacy Act in March next year, alongside other amendments.

    The amendments will force businesses and government agencies covered by the Privacy Act 1988, to notify people when a serious data breach affecting their privacy occurs.

    The notification requirements do not apply to all data breaches, only breaches that give rise to a risk of serious harm. Serious harm could include physical and psychological harm, as well as injury to feelings, humiliation, harm to reputation and financial or economic harm.

    The Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements and the Information Commissioner will be able to direct agencies and business to notify individuals of data breaches.

    The legislation has been introduced following criticism of the current voluntary reporting system. It seems when faced with a choice, many entities think of the bottom line or other publicity concerns rather than the security of people’s personal or financial information.

    A bit about how data breaches can threaten your credit file

    Personal information in the wrong hands can lead not only to identity fraud, but the misuse of the victim’s credit file, which can have significant long term consequences.

    A lot of identity fraud is committed by piecing together enough personal information from different sources in order for criminals to take out credit in the victim’s name. Often victims don’t know about it right away – and that’s where their credit file can be compromised.

    Once the victim’s credit rating is damaged due to defaults from this ‘stolen’ credit, they are facing some difficult times repairing their credit rating in order to get their life back on track.

    These victims often can’t even get a mobile phone in their name. It need not be large-scale fraud to be a massive blow to their financial future – defaults for as little as $100 will stop someone from getting a home loan.

    Once an unpaid account goes to default stage, the account may be listed by the creditor as a default on a person’s credit file. Under current legislation, defaults remain on the credit file for a 5 year period.

    What is not widely known is how difficult credit repair following can be – even if the individual has been the victim of identity theft, there is no guarantee the defaults can be removed from their credit file. The onus is on them to prove their case and provide copious amounts of documentary evidence.

    Unfortunately data breaches are difficult for individuals to have any control over, and the only way people can ensure their details are safe are to demand that the companies they deal with have strong IT systems before disclosing that information.  People should adopt the philosophy of a need-to-know basis for disclosing their personal information. They should always question the need for it to be handed over. If it is not essential, they shouldn’t do it.

    Image: Stuart Miles/ www.FreeDigitalPhotos.net

  • Mandatory data breach notification Bill before Parliament

    data securityThe Attorney-General has put before Parliament a mandatory data breach notification bill, which will require businesses and government agencies to notify people when a data breach affecting their privacy occurs. In our view this long overdue legislation is imperative to protect individuals who have their personal information unsecured in some way.  This will allow those individuals affected to take swift steps to secure their own records and personal information from identity crime. We look at why these laws are so important and how a data breach can impact a person’s credit file.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.

    Remember when Sony was hacked? Thousands of Sony Australia customers were kept in the dark about it for some time – and there wasn’t a thing our Privacy Commissioner could do after the fact, due to there being no legal requirement in Australia on businesses or other entities to notify individuals when a data breach in their business could impact their personal information.

    Events like that – along with a long list of other breaches – have inspired changes within our legislation.

    The Attorney-General Mark Dreyfus QC handed over The Privacy Amendment (Privacy Alerts) Bill 2013, for its first reading in parliament yesterday. If passed, amendments will be implemented along with other major amendments to the Privacy Act 1988, on March 12, 2014.

    The new laws will require notification of data breaches to the Office of the Australian Information Commissioner, on all entities covered by the Privacy Act 1988, including many businesses.

    The notification requirements do not apply to all data breaches, only breaches that give rise to a risk of serious harm. The Commissioner will be able to seek civil penalties if there is serious or repeated non-compliance with the notification requirements.

    “To make sure that the new laws have teeth, the Information Commissioner will be able to direct agencies and business to notify individuals of data breaches,” Mr Dreyfus said in a statement to the media on Tuesday.

    In a Computerworld article ‘Proposed mandatory data breach notification bill read in Parliament’, Privacy Commissioner, Timothy Pilgrim, reportedly said he has supported the introduction of mandatory data breach notification laws in Australia since they were first proposed by the Australian Law Reform Commission in 2008.

    “The last couple of years have seen a number of high-profile data breaches and subsequent own motion investigations initiated by me, and research suggests that the frequency of data breaches in Australia has continued to grow over the past three years,” he said.

    Despite this upward trend, the Office of the Australian Information Commissioner (OAIC) received 46 data breach notifications in the 2011–12 financial year, an 18 per cent decrease from the previous year.

    “I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring,” Pilgrim said. “Many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised.”

    Up to now, whilst organisations are encouraged to disclose data breaches to the Commonwealth Privacy Commissioner, it has not been mandatory to do so. There has been much criticism over companies “holding out” on their customers following a data breach, and waiting days or up to a week or so to notify customers that their personal information may be at risk.

    During this time, it has been argued that hackers have had free access to this personal information without the customer doing anything to minimise their own risk, such as cancelling accounts, changing passwords and flagging their credit accounts and credit file.

    We agree this is an area which is overdue for legislation, especially going in hand with other new Privacy Amendments already passed.

    We can’t take lightly the possibility that any company that keeps data on its customers could be exposed to data breaches. Identity theft is becoming more prevalent, and personal information is lucrative for fraudsters.

    Unfortunately it seems everywhere people turn some company has been hacked – and it seems every entity with a computer is vulnerable. It is still extremely scary the level of risk peoples’ personal information undergoes these days when it is stored online.

    Personal information in the wrong hands can lead not only to identity fraud, but the misuse of the victim’s credit file, which can have significant long term consequences.

    A lot of identity fraud is committed by piecing together enough personal information from different sources in order for criminals to take out credit in the victim’s name. Often victims don’t know about it right away – and that’s where their credit file can be compromised.

    Once the victim’s credit rating is damaged due to defaults from this ‘stolen’ credit, they are facing some difficult times repairing their credit rating in order to get their life back on track.

    These victims often can’t even get a mobile phone in their name. It need not be large-scale fraud to be a massive blow to their financial future – defaults for as little as $100 will stop someone from getting a home loan.

    Once an unpaid account goes to default stage, the account may be listed by the creditor as a default on a person’s credit file. Under current legislation, defaults remain on the credit file for a 5 year period.

    What is not widely known is how difficult credit repair following can be – even if the individual has been the victim of identity theft, there is no guarantee the defaults can be removed from their credit file. The onus is on them to prove their case and provide copious amounts of documentary evidence.

    Unfortunately data breaches are difficult for individuals to have any control over, and the only way people can ensure their details are safe are to demand that the companies they deal with have strong IT systems before disclosing that information.  People should adopt the philosophy of a need-to-know basis for disclosing their personal information. They should always question the need for it to be handed over. If it is not essential, they shouldn’t do it.

    The fact that our country is attempting to legislate this important area is a big step in the right direction. Forcing companies to act quickly would minimise the harm which could occur to the victims’ financial identity and credit file information. Whilst it won’t prevent all data breaches, it will encourage better security. A requirement to disclose potentially harmful breaches would mean a company’s bad security is thrown right into the limelight. And not even the big wigs would want that.

    Image: David Castillo Dominici/ www.FreeDigitalPhotos.net

  • Mandatory data breach notification finally on the table in Australia

    Should organisations be required by law to make data breach notifications when they occur? The Australian government has finally put this topic to the Australian public following the release of their discussion paper. This is long overdue so that customers who have their personal information unsecured in some way through a company data breach are notified and are able to take swift steps to secure their own records and personal information from identity crime. We look at why these laws are so important and how a data breach can impact a person’s credit file.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

    Yesterday the Australian Government released a statement to the media seeking views on the introduction of mandatory data breach notification laws, which aims to bolster privacy protections for Australians’ personal information in digital databases.

    Attorney-General Nicola Roxon said that it was timely for a public discussion on how legislation might deal with data breaches, such as when private records are obtained by hackers.

    “Australians who transact online rightfully expect their personal information will be protected,” Ms Roxon said.

    “More personal information about Australians than ever before is held online, and several high profile data breaches have shown that this information can be susceptible to hackers.

    Those high profile data breaches include the Sony data breach in 2011, First State Super scandal in the same year; this year the Zappos data breach and the Telstra data breach to name but a few instances where the personal information of Australians was exposed to hackers. What these incidents did is highlight the gaping hole in Australia’s privacy legislation which needed to be filled to protect consumers.

    Whilst organisations are encouraged to disclose data breaches to the Commonwealth Privacy Commissioner, it has not been mandatory to do so. There has been much criticism over companies “holding out” on their customers following a data breach, and waiting days or up to a week or so to notify customers that their personal information may be at risk.

    During this time, it has been argued that hackers have had free access to this personal information without the customer doing anything to minimise their own risk, such as cancelling accounts, changing passwords and flagging their credit accounts and credit file.

    The Australian Privacy Commissioner, Mr Timothy Pilgrim has had little recourse within legislation to deal with lack of notification following a data breach.

    In his statement to the media, Mr Pilgrim said in 2011–12, the Office of the Australian Information Commissioner (OAIC) received 46 data breach notifications, an 18% decrease from the number of DBNs received in 2010–11.

    ‘This decrease in notifications is difficult to explain but I have seen reports that suggest we are only being notified of a small percentage of data breaches that are occurring. It is very concerning that many of incidents may be going unreported and customers are unaware that their personal information may be compromised,’ Mr Pilgrim said.

    He has officially supported the release of the discussion paper.

    ‘…Privacy breach notification is an important issue that needs community debate, and I’m sure there will be a wide range of views expressed on whether this notification should be mandatory.’ Mr Pilgrim said.

    ‘Currently there is no legal requirement in Australia for organisations to notify individuals when a privacy breach occurs. However, I believe that where personal information has been compromised, notification can be essential in helping individuals to regain control of that information. For example, an individual can take steps to regain control of their identity and personal information by changing passwords or account numbers if they know that a data breach has occurred,’ Mr Pilgrim said.

    We agree this is an area which is overdue for going under the legislative spotlight. We can’t take lightly the possibility that any company that keeps data on its customers could be exposed to data breaches. Identity theft is becoming more prevalent, and personal information is lucrative for fraudsters.

    Unfortunately it seems everywhere people turn some company has been hacked – and it seems every entity with a computer is vulnerable. It is still extremely scary the level of risk peoples’ personal information undergoes these days when it is stored online.

    Personal information in the wrong hands can lead not only to identity fraud, but the misuse of the victim’s credit file, which can have significant long term consequences.

    A lot of identity fraud is committed by piecing together enough personal information from different sources in order for criminals to take out credit in the victim’s name. Often victims don’t know about it right away – and that’s where their credit file can be compromised.

    Once the victim’s credit rating is damaged due to defaults from this ‘stolen’ credit, they are facing some difficult times repairing their credit rating in order to get their life back on track.

    These victims often can’t even get a mobile phone in their name. It need not be large-scale fraud to be a massive blow to their financial future – defaults for as little as $100 will stop someone from getting a home loan.

    Once an unpaid account goes to default stage, the account may be listed by the creditor as a default on a person’s credit file. Under current legislation, defaults remain on the credit file for a 5 year period.

    What is not widely known is how difficult removing credit listings which shouldn’t be there can be – even if the individual has been the victim of identity theft. There is no guarantee that the identity theft victim will have the defaults removed from their credit file. The onus is on them to prove their case and provide copious amounts of documentary evidence.

    This is where often victims who need to recover their credit rating can benefit from third party assistance, such as a credit repair company, to assist with proving the victim did not intitate the credit, help with a case for removal and negotiate on the victim’s behalf.

    But the best method is prevention – and this can be difficult for victims to have any control over. They leave their personal information with a company, and must trust that their systems are working and that their information is safe.

    The only ways people can ensure their details are safe or dealt with safely are to:

    a) Demand that the companies they deal with are protective over their customers’ personal information. They should demand companies have strong IT systems.

    b) Adopt a need-to-know basis for disclosing their personal information. They should always question the need for their details to be handed over. If it is not essential, they shouldn’t do it; and

    b) Demand our country adopt mandatory data breach notification laws so we can, as Mr Pilgrim describes, have our organisations “embed a culture that values and respects privacy.”

    Image: phanlop88/ www.FreeDigitalPhotos.net

  • Privacy Protection set to be heightened under Australian Law

    Big changes are coming for Australian privacy rights and laws governing the use of personal information. The Australian Government has announced it will make the first set of changes to the Privacy Act 1988 in the Winter sitting of Parliament. The announcement came yesterday from Attorney-General Nicola Roxon, who intentionally announced the changes to coincide with Australia’s Privacy Awareness Week.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

    The Attorney-General said in her statement that Australia’s privacy laws will be reformed to better protect people’s personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner.

    The Attorney explained that key changes to benefit consumers are:

    • clearer and tighter regulation of the use of personal information for direct marketing
    • extending privacy protections to unsolicited information
    • making it easier for consumers to access and correct information held about them
    • tightening the rules on sending personal information outside Australia
    • enhancing the powers of the Privacy Commissioner to improve the Commissioner’s ability to resolve complaints, conduct investigations and promote privacy compliance

    These changes are part of a long consultation process coming out of recommendations made within the Australian Law Reform Commission’s report For your information: Australian Privacy Law and Practice.

    The changes will include new powers for the Privacy Commissioner to enforce privacy laws. Commissioner Timothy Pilgrim said in a statement to the media these changes were a significant step forward and will allow him to better resolve privacy investigations more effectively.

    “The strengthening of these powers also sends a strong message to government agencies and businesses covered by the Act that there can be significant consequences when personal information is not given an appropriate level of protection.”

    “These changes give me more options when undertaking an investigation on my initiative. At the moment I can only make a determination when I am investigating a complaint made by an individual,” Mr Pilgrim said.

    The powers of the Privacy Commissioner to investigate Privacy complaints has previously come under criticism, particularly following the well-publicised global Sony Data Breach in April 2011 which seemed to showcase the gaping hole in Australian Privacy Law at the time. The data breach left the personal information of approximately 77 million Sony customers worldwide exposed to hackers and threatened the victims with possible identity theft and credit file misuse.

    Criticism was sparked by the Commissioner’s lack of powers to make determinations following any investigation, and also Australia’s absence of mandatory data breach notification law. It was well publicised that Sony took over a week to notify it’s customers of the data breach, in the process potentially exposing customers to identity theft and credit file fraud.

    A recent survey conducted by the University of Canberra and eBay Australia found that Australian internet users were highly concerned about identity theft and wanted government to order businesses to notify users of online data breaches.

    The survey, reported in CIO Magazine Call for mandatory data breach notification grows: Survey found 85 per cent of 700 Australian participants want data breach notifications to become mandatory. Here is an excerpt from that story:

    In addition, 86 per cent of respondents cited identity theft as their greatest privacy concern, while 83 per cent mentioned financial data loss as their biggest concern.

    The survey also found that the financial sector was the most trusted when it came to privacy (42 per cent).

    Social media was the least trusted industry on privacy with only 1 per cent of respondents saying they trusted websites such as Facebook. Sixty-one per cent of Australians surveyed nominated the social media industry as having the worst privacy practices.

    Privacy Commissioner, Timothy Pilgrim, said that the high level of support for mandatory data breach notifications is not surprising given significant data breaches over the past year such as the Sony PlayStation Network compromise.

    “Incidents are on the rise as weaknesses become apparent in business systems at the same time as hackers become more sophisticated,” he said in a statement.

    “I encourage businesses to look at our guide which not only outlines how to respond to a breach, but also how to avoid a breach in the first place by focusing on the security of their systems,” Pilgrim said.

    Other privacy law reform changes will include the introduction of a set of Australian Privacy Principles, and importantly, changes to credit reporting law.

    Some changes Attorney-General Nicola Roxon chose to highlight in her statement yesterday include:

    • making a clear obligation on organisations to substantiate, or show their evidence to justify, disputed credit listings
    • making it easier for individuals to access and correct their credit reporting information
    • prohibiting the collection of credit reporting information about children
    • simplifying the complaints process by removing requirement to complain to the organisation first, complaints can be made directly to the Privacy Commissioner, and by introducing alternative dispute resolution to more efficiently deal with complaints.

    We will be watching with intense interest at how the whole barrage of changes around credit reporting could possibly impact consumers and their credit files. The above four recommendations would be a great improvement as currently consumers can experience difficulty when disputing entries on their credit reports.

    MyCRA is proud to be a Partner for Privacy Awareness Week 2012.