Skip to main content

Down Under, Lawmakers Ponder Pain and Suffering from Breaches

by Paul Roberts on Tuesday October 11, 2016

Contact Us
Free Demo

Should businesses be liable for the pain and suffering experienced by customers as the result of a data breach? Lawmakers in Australia say “yes.”

Should consumers affected by the theft or loss of their personal data be able to receive compensation for the pain and suffering it caused them? Lawmakers in Australia think the answer is “yes” and have proposed new laws that would make breached firms responsible for paying damages.

The proposed legislation was introduced in 2015. It would amend Australia’s Privacy Act of 1988 with a particular focus on data privacy. The amendment would replace voluntary guidelines and, for the first time, establish a federal data breach notification law for Australia (I know – crazy, right?). It would set a uniform standard for Australian businesses and other organizations when it comes to data breach notification.

But business groups are up in arms about provisions of the law. Among them: the prospect of civil penalties for firms that experience breaches that cause “serious harm” to consumers, including “physical, psychological, emotional, economic and financial harm, as well as harm to reputation.”

The goal of the legislation is to “permit the use of less severe sanctions before elevating to a civil penalty,” according to an explanatory brief published by the Australian government. Public or personal apologies, compensation payments or enforceable undertakings could be used in lieu of civil penalties, which would “only be applicable where there has been a serious or repeated non-compliance with mandatory notification requirements,” the document said.

The proposed legislation, which will be re-considered in 2016, builds on data privacy laws enacted in most U.S. States and, in many ways, improves them, according to commentary offered by the Australian Cyberspace Law and Policy Community. Among other things, the proposed legislation is specific about the content that should be included in a breach notification and sets a bar for “harm” to reduce the likelihood of excessive breach notifications that can overwhelm consumers and create ‘notification fatigue,’ the group noted.

Still, the business community in Australia is up in arms. The Australian Chamber of Commerce warned that the law, as written, is too vague and will be difficult and expensive to enforce. Comments by the Australian Association for Data Driven Marketing and Advertising (ADMA) questioned whether a federal law is even necessary and took aim at the definition of a “serious data breach.” “Although the definitions are drawn from the current voluntary regime, enshrining such vague definitions in legislation will only serve to drive business to adopt an overly cautious approach to reporting which in turn is likely to result in notification fatigue,” ADMA said. More regulations will be mean a higher cost of doing business, which will be passed to consumers, ADMA argued.

And, to be fair, even supporters of the law note that it has shortcomings. The Cyberspace Law and Policy Community response criticizes the proposed legislation for being too vague about what a breached entity’s obligations are and leaving it largely to breached firms to determine the level of “harm” in a given incident.

The notion of “harm” is one that is also working its way through U.S. courts, where 46 states, the District of Columbia and three U.S. territories have passed separate data breach notification laws. As this blog has reported, U.S. courts have issued conflicting rulings on whether consumers whose data has been stolen or leaked from breached firms have suffered a “harm” that gives them standing to sue (for example in class action suits). However, in recent months breached firms like Home Depot have opted to settle class action suits rather than push the idea that their customers suffered no harm from the theft of their financial data. And, in at least some recent cases, courts have shown a willingness to consider the possibility that data breaches may hold some “future risk” akin to environmental poisoning that may not be present at the time of the breach.

It remains to be seen whether the proposed Australian legislation will become law. Meanwhile, in the U.S. the absence of a federal standard for what constitutes a “breach,” whether breaches constitute “harm” to the public or what companies are required to disclose and when is likely to leave consumers with little in the way of concrete legal protections and guarantees.

Tags:  Policy Data Breaches

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.