Addressing Cross-Border Data Breaches

Aussies' Notification Bill Tackles Data Transfers Out of Country

By , July 26, 2013.
Addressing Cross-Border Data Breaches
 

A provision in proposed breach notification legislation before Australia's parliament could deem the unauthorized transfer of data from Australia to another country a breach.

See Also: The Evolution of Advanced Malware

"We've seen the concept of cross-border data transfers mostly in Europe," privacy lawyer Françoise Gilbert says in an interview with Information Security Media Group [transcript below]. "Europe has been the most adamant at trying to curb the exodus of information outside of Europe without the proper measures. ... Australia is sort of following this trend and becoming much more serious about the cross-border data transfers."

Another key provision found in the proposed Australian law would allow a government official, most likely the information commissioner, to require an organization to notify its stakeholders of a data breach, even if the organization earlier ruled a disclosure was not necessary.

"[The official would] go to the company and say, 'I've heard that you've had a breach about this and that, and I think that this breach requires notification to the individuals,'" Gilbert says. "That's an interesting aspect where the commissioner is taking a much more proactive role."

In the interview, Gilbert:

  • Provides an overview on the Australian breach legislation;
  • Explains how the Australian legislation differs from laws enacted in the United States and Europe; and
  • Discusses the challenges organizations face in complying with multiple, international data breach notification laws.

Gilbert, a founder of the IT Law Group, specializes in information technology, Internet, IT security and privacy law. She has taught technology and data protection law in the Graduate School of Health Information Science at the University of Illinois in Chicago since 1992, and has been a frequent guest speaker at John Marshall Law School in Chicago and at the Silicon Valley Center for Entrepreneurship at San Jose State University in California. Gilbert has earned law degrees in Chicago and Paris.

Australian Breach Legislation

ERIC CHABROW: Take a few moments to tell us about the new privacy legislation Australian lawmakers are considering in regards to breach notification?

FRANCOISE GILBERT: It's a bill that's somewhat familiar to many of the bills that we have seen in the past in the U.S. and in different countries. Basically, if there's a breach of security and there's a risk of serious harm to an individual, the entity who would have suffered the breach would have to notify the individual of that breach, as well as notify the Australian information privacy commissioner.

CHABROW: You're saying these are very similar to what we may see among the 46 state laws in the United States and what the European Union have?

GILBERT: Roughly that's the same concept. That's what has inspired this June bill.

Disclosures Outside of Australia

CHABROW: Is there anything unique about the Australian bill?

GILBERT: First of all, it's 17 pages. In that respect, it's a document that's well thought through and very detailed. In this respect, it's quite impressive. Another aspect is not only does it address the concept of breach of security in the same way as we've seen in the U.S. and elsewhere, but also it would make some disclosures of information outside of Australia ... a breach of security. Basically, if an Australian company had sent disclosed information about an individual to an overseas recipient in violation of the general privacy law of Australia, [it] would be deemed a breach of security and that would also require a notice.

CHABROW: Most other laws don't require that outside their own jurisdictions?

GILBERT: That is the first time I see a mixture of the traditional security breach combined with the notion of cross-border data transfers.

CHABROW: If I understand, most laws don't require that?

GILBERT: Most laws just talk about breach of security and that's it.

CHABROW: So they're not really explicit about who's to be notified?

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE NIST to Address Medical Device Security

As NIST launches an effort to address cyber risks concerning medical devices, security experts...

Latest Tweets and Mentions

ARTICLE NIST to Address Medical Device Security

As NIST launches an effort to address cyber risks concerning medical devices, security experts...

The ISMG Network