Catch of the Day's three-year silence proves need for disclosure laws
As a major data breach once again makes headlines, Australia is debating new legislation that could make disclosure of hacks mandatory.
Shadow Attorney General Mark Dreyfus has described Catch of the Day's delayed data breach revelation as "not acceptable", saying it is a timely reminder that privacy law needs to be updated to protect Australian consumers.
Daily deals website Catch of the Day contacted its customers late on Friday July 18, 2014 to inform them it had fallen prey to an "illegal cyber attack" that had exposed credit card data, passwords and other user information. It advised that users who joined the service before May 7, 2011 should change their passwords.
However, while Catch of the Day said it "informed police, banks and credit card companies" at the time of the breach, customers were not told that their personal details were hacked. Rather, the company waited more than three years to inform its customers, and gave them no reason for the delay.
Despite repeated requests for explanation of the original breach, why users were not informed and why the company declined to offer any reasons for its lengthy delay on disclosure, Catch of the Day has maintained radio silence.
Now Australia's Shadow Attorney General has weighed in on the breach. "Catch of the Day waiting 38 months to tell its customers is not acceptable," Dreyfus told CNET. "They should have informed their customers straight away.
"I think it's far, far too late and it means that none of their customers had the opportunity to prevent against any damage that may have been done to them. The reason why it's important that customers be advised straight away is so that they can take necessary steps to protect their privacy and to protect potentially against financial damage."
While Catch of the Day has drawn the ire of customers and privacy advocates, it has not actually broken the law. But a new bill before Parliament may change all that.
The Privacy Amendment (Privacy Alerts) Bill 2014 amends the Australia's Privacy Act 1988 making it compulsory for organisations to disclose major data breaches to affected consumers. The bill made it through the House of Representatives in 2013 but did not survive after the 2013 election. Now it's back with Dreyfus once again seeking to codify loose privacy guidelines into mandatory requirements.
According to Dreyfus, the Catch of the Day case is "a very good demonstration" of why data breach notifications should be enforceable.
"At the moment we've got non-mandatory guidelines that have clearly not been followed by Catch of the Day," he said. "It's likely that there are a number of data breaches which are simply going undisclosed."
Under the proposed legislation, companies would not be required to notify customers of every security risk, but they would need to disclose data breaches that pose the risk of "serious harm" to those whose information is compromised. According to Dreyfus, this includes "data breaches that can lead to financial fraud, to identity theft, blackmail or [breaches] that might jeopardise someone's safety".
The bill is informed by a 2008 Australian Law Reform Commission report into Australian Privacy Law and Practice, which first the "serious harm" test to establish whether there is a case for companies to disclose a breach.
"Serious harm is not limited to identity theft or fraud," the report read. "The harm could include, for example, discrimination, if sensitive medical information was released."
While the ALRC did not comment on the specifics of Catch of the Day's recently-revealed data breach, a spokesperson told CNET that in any case where a data breach raises a risk of harm to affected users, "then of course those people need to know as soon as possible".
This is a sentiment echoed by Privacy Commissioner Timothy Pilgrim, who said as many as 96 percent of Australians expect to be told when their data is hacked and that prompt notification is essential.
"Critical incidents may still be going unreported and consequently consumers may be unaware when their personal information could be compromised," said Pilgrim. "People affected by data breaches that may have serious financial or other consequences are unable to take mitigating steps to protect their personal information if they are not appropriately notified."
For her part, the deputy CEO of the Australian Communications Consumer Action Network Narelle Clark said she "commends" Catch of the Day for eventually notifying its customers of the 2011 breach as transparency is "essential" for companies and brands.
"Firstly, it enables consumers to take steps to protect their data, such as by changing their passwords and usernames. Secondly, notification builds consumer trust and raises awareness among other businesses and their customers of the importance of implementing and maintaining sound data protection protocols."
But while voluntary disclosure may be commendable, it is not legally required. If a company waits three years to inform customers that their information has been hacked, or if it declines to reveal anything at all, customers have no legal recourse. But under the new bill, civil and financial penalties can be brought down on offenders.
As major data breaches continue to make their way into headlines and as Catch of the Day customers take to social media to say the company "cannot be trusted", Dreyfus is more hopeful than ever that his bill will be passed this year.
"We can see no reason why this bill should not be passed," he said. "It reflects the better part of a decade's work in policy development and consultation...it has strong support from industry, from privacy advocates and IT professionals, and it ought to become law.
"Most Australians go to some lengths to protect their identities against fraud -- they should at least be able to rely on companies that hold their information to do their utmost to protect that information and to tell them when they haven't."
Update July 25 at 2:51 p.m. AEST: The Australian Federal Police provided a statement to CNET on the original Catch of the Day breach, which the company said it disclosed to police in 2011. According to an AFP spokesperson, "AFP records do not show that any complaint was received in 2011 from the Catch of the Day website".
CNET sought response from Catch of the Day who provided the following update: "We stand by our notification. Police were involved."