Government mulls over making data providers liable for hacking

New laws may be introduced that could allow victims of hacking attacks to sue their data providers if they aren’t taking enough steps to shore up their security and improve data protection standards, the Government has hinted.

The move comes after a number of small and medium businesses have suffered hacking attacks, along with large corporates such as Sony, which have seen private details and credit card numbers exposed to hackers.

However, some in the business community have been hesitant to accept the idea, with Australian Banking Association chief Steve Munchenberg saying that “we need to be very careful before we consider any civil and criminal sanctions which could hit small and large businesses, governments and their agencies, as well as individuals”.

Larry Bloch, chief executive of NetRegistry, which recently acquired the Melbourne hosting company Distribute.IT after suffering a massive hacking attack, also says there needs to be discussion over whether action could be taken under existing law.

“Certainly I believe it’s increasingly important for there to be regulation around data security, because the value of data and certainly the value of third party providers is growing. Distribute.IT is a great example of that.”

“I also think it stands to reason that companies have a responsibility to deliver a certain level of expectation around security and the data they hold.”

However, Bloch says he is under the impression that provisions for data hacks would fall under existing regulations for non-digital breaches.

“I’m not sure if it’s any different than if I have products, order forms, and then I just put a form with credit card details away in a file cabinet, and then an employee manages to gain access to it. As a company, if we didn’t do anything about, there would be some potential for a negligence claim.”

The discussions were prompted by the Australian Privacy Foundation, which recently met with privacy minister Brendan O’Connor to discuss stronger liabilities for companies that have suffered attacks and have not done anything to improve their security.

O’Connor told The Australian that “if new laws are introduced, this would mean a person could sue for a serious breach of their privacy”.

“I am happy to hear the full breadth of views; however, the proposal I am considering is for civil remedies – not criminal.”

Australian Privacy Foundation chairman Roger Clarke says the group wants the Government to adopt a recommendation put forward by the Australian Law Reform Commission back in 2008. The Government has promised an issues paper soon.

But Clarke says both criminal and civil actions are needed for companies that have broken their customers’ trust and haven’t done anything to improve security.

“We need both civil and criminal sanctions, but the criminal sanctions aren’t just for workaday mistakes. The reason we argue is because many haven’t got the message, and they aren’t paying enough attention to their security.”

Data experts have pointed to major hacks such as the Sony case, saying that major corporations aren’t taking their security obligations seriously enough. And with the number of attacks targeting SMEs on the rise, Clarke says it is important for customers to have the power to sue.

“We can’t achieve perfection, because hackers are awfully smart and will get in from time to time. But if corporations are caught out behaving irresponsibly, especially around data, there should be an ability to sue.”

“It would be dependent to the circumstances, because the smaller the company the less expectations the public can reasonably have. But there needs to be more provisions… in order to show just how slack some businesses really are.”