The Australian Privacy Foundation has submitted additional comments on proposed data breach notification regulations in Australia. You can read their supplement here. Not surprisingly, I remain in substantive agreement with their recommendations.
The Australian Privacy Foundation has responded to Australia’s draft breach notification law. You can read their comments here. Not surprisingly, I agree with their concerns.
As I’ve been reporting for a while now, Florida is an absolute hotbed of ID theft for tax refund fraud schemes. Yet state-level prosecutors are hampered by a law that requires them to prove intent to use/misuse information if someone is found in possession of others’ identity information. Of course, the federal prosecutors are not similarly hamstrung, but there’s a move afoot to fix Florida’s laws. See this news report on News4Jax.com
Paul Smith reports:
The Australian Bankers Association has defended the strength of IT security processes in place across Australia’s banking system following the revelation that Reserve Bank of Australia systems had been compromised by China-based hackers.
However, security experts said the incident highlighted the need for Australian data breach notification laws to be tightened to force organisations to come forward when they were hacked.
ABA chief executive Steven Münchenberg told The Australian Financial Review that there were no reports of similar attacks on other local banks, and that effective processes were already in place to co-ordinate fraud investigations with federal and state police.
Read more on Financial Review.
Antone Clark reports:
State lawmakers are taking action to prevent another breach of sensitive data following the inadvertent release of almost 800,000 names in 2012.
The House voted unanimously to approve legislation establishing guidelines for how information for Medicaid and CHIP recipients will be handled and also pushing the state to actively identify industry best standards in protecting electronic databases.
The measure, SB 20, now goes to the governor.
Read more on Standard-Examiner.
CUSystem writes:
The Maine Credit Union League and representatives from Maine’s credit unions recently testified on two bills about breach notices and student-loan insurance bills, before two separate state legislative committees in Augusta.
L.D. 158 requires that notice of a security breach must be made no later than 30 days after discovery of the breach to residents affected by the breach. It also would double the financial penalties for a civil violation.
Rebekah Higgins, assistant vice president of card services for Synergent, testified Feb. 28 before the Insurance and Financial Services Committee on behalf of the Maine league, which opposes the bill (Weekly Update March 8).
Read more on Credit Union National Association.
You can find the text of the bill here (pdf). It incorporates two different triggers to notification: for information brokers, the trigger would be acquisition, or reasonable belief of acquisition, of computerized data containing personal information by an unauthorized individual. For others, the trigger is “misuse of the personal information has occurred or if it is reasonably possible that misuse will occur.” The inclusion of ”no later than 30 days” notification language would appear to limit for how long entities can delay notification in the event of a law enforcement investigation, something the Maine Credit Union League noted in their testimony.