This article is more than 1 year old
Australian Privacy Act feels revamp pressure
Sony breaches may force hand
The Australian government may consider expediting significant reforms to the Privacy Act as a result of the Sony data breaches.
The Australian Privacy Commissioner, Timothy Pilgrim has already opened an investigation into the Sony Playstation Network security breach where 77 million users of the network have had their personal data compromised. Pilgrim issued an additional statement in response to the subsequent news this week relating to a breach relating to Sony Online Entertainment in which an additional 24.6 million users including 12,700 non-US customer credit or debit card numbers had been affected.
In what is essentially a pro-forma response from the office, Pilgrim has “have asked SOE for information about this incident," and promised an "own motion investigation" of the attack (that is, an investigation launched without waiting for specific complaints to arrive at the office).
"This latest incident is extremely worrying," said Pilgrim. "I am particularly concerned that it involves information stored on an out of date database.
"It reinforces my view that organisations need to consider further limiting the amount of information they collect and store about people. They should also make sure that information is destroyed when it is no longer needed as is required under the Privacy Act,” Pilgrim said.
While the commissioner has asked what information was compromised and what network security was in place at the time of the breach, he has not asked Sony to explain what vulnerabilities were exploited, nor to detail what new security measures it might apply to defend against future attacks.
There is currently no mandatory data breach notification obligation in Australia. The Australian Law Reform Commission recommended that consideration should also be given to the introduction of mandatory data breach notification laws.
Pilgrim said that there are a number of significant reforms to the Privacy Act currently being considered by the government including increased powers for the Commissioner to impose penalties following an own motion investigation, such as enforceable undertakings and civil penalties for serious breaches of privacy. ®