Australian businesses who have to date been able to self manage their indiscretions and security breaches will soon be legally obliged to disclose data breaches due to a new bill passed by the Federal Government. After many failed attempts, numerous governments, the bill has finally been passed in the Senate. In a nutshell companies will need to disclose if their systems have been compromised due to technical shortcomings or cyber attack. |
Given the recent number of data breaches, and subsequent disclosure of considerable private information many believe the legislation is long over due. So much so the bill has the support from both sides of parliament. It is a clear message that regulation is required to keep the interests of the community at the forefront of business practices. It is a reaffirmation that an individual has the right to privacy and whoever collects, processes and stores that information has a responsibility to protect that information in accordance with community and now legal expectations.
WHO WILL BE AFFECTED?
The bill applies to organisations that have responsibilities under the privacy act.
- Australian Government agencies
- Businesses and not-for-profit organisations with an annual turnover of more than $3 million.
The Privacy Act also applies to some types of businesses with an annual turnover of $3 million or less. These businesses include:
- Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category)
- Child care centres, private schools and private tertiary educational institutions.
- Businesses that sell or purchase personal information along with credit reporting bodies
The bill stipulates disclosure is required when a breach is qualified as an eligible data breach. Defined by the belief that an individual is at “risk of serious harm" due to the disclosure of their personal information. For more information on “risk of serious harm” the Australian Law Reform Commission provides additional information.
Some have argued an organisation’s ability to self –assess on what constitutes “risk of real harm” is providing an opportunity for some organisations to get around the bill’s mandatory disclosure requirements based on an interpretation of serious harm. Certainly, this opportunity may exist however organisations need to tread carefully as blatant disregard and avoidance will be identified and organisations will be held accountable.
NOTIFICATIONS AND PENALTIES
Where an organisation has identified a breach (within 30 days) they are required to notify the Privacy Commissioner and affected customers. As detailed in the bill, failure to comply with the new notification scheme will be "deemed to be an interference with the privacy of an individual" and there will be consequences:
"A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the [Privacy] Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate."
CLAIMS OF NOTIFICATION FATIGUE AND HEAVY HANDEDNESS
Critics and opponents of the bill claim organisations will be overwhelmed with reporting requirements resulting in businesses notification fatigue. The alleged” unreasonable compliance burden” would see organisations having difficulty understanding their obligations and compliance responsibilities.
Some may argue these opponents have an inability to grasp what is required in this digital age. The game has changed, the risks have intensified and it’s all there online for the taking The stakes have never been higher; our nation’s assets never more under threat and an individual’s right to have certain aspects of their lives remain private not simply for financial or legal concerns, but ever-increasing health concerns just does not seem to resonant with some.For others it is a simple question, do the benefits merit the additional effort? To use the country's current default standard "the pub test" it certainly appears so.
There is not doubt the Bill will introduce additional workloads and complexity for some organisations but this is simply the cost of doing business in the digital age. The upside of the online economy far outweighs any additional reporting requirements. Moreover, recent Australian data breaches 2016 highlights the lack of compliance reporting and regulatory control has caused its own share of ‘notification fatigue” albeit for different reasons. If you are not convinced consider the following statistics courtesy of CIO Australia 21 September, 2016
"More data breaches have been reported in Australia than anywhere else in the APAC region so far this year, according to a security index. The Gemalto Breach Level Index recorded 22 incidents in Australia in the first half of the year, far more than the 13 recorded in India and seven in Japan and New Zealand. The APAC region accounted for 8 per cent of incidents worldwide, compared with 79 per cent that targeted North America The most severe incident in Australia so far this year was Menulog, which suffered from a breach of 1.1 million records leaving customer names, addresses, order histories and phone numbers exposed."
These statistics may suggest,certainly to critics of the Bill, that Australia's appalling APAC ranking is due to our willingness to disclose, more so perhaps than other nations; proving any legislation is unnecessary. Skeptics would suggest it is a data breach iceberg, you need to worry more about what you do not see, than what you do.
Australia is out there, way out there and it is starting to become a major concern to the Australian Government, Australian security professionals and savvy business leaders.
Emerging IT trends will only heightened these concerns and the Internet of Things will blow the door off current ideas of what constitutes a target; introducing levels of breach and disclosure that for many still seems unimaginable. Given your TV or refrigerator is capable of making your personal information publicly available relying on company self regulation and reporting exclusively is somewhat underestimating the emerging risk and associated impacts.
Gemalto Breach Level Index Many cyber security experts assert if this is what we know in a non mandatory breach disclosure Australian context. What don’t we know? How much private data is out there waiting to be discovered? |
There has been some suggestions the new Bill is too heavy handed and that voluntary disclosure is a better option. Much as this sounds an incredibly plausile option can it really hold up? Admittedly, many organisations would do the right thing and disclose their failures, however many, given the right circumstances maybe inclined to “damage control” the situation and hope it can be internally managed. This may suit an organisation’s overall best interests but does it represent the best interest of the community or the individual? The ramifications of best interests simply do not scale well in an online world. At some point someone has to pay; the customer, the organisation, the community, and often more than originally anticipated.
TAKE IT AS A POSITIVE
Organisations should view the introduction of this new legislation as a positive.An opportunity to align people, processes and technology to ensure better compliance and more effective security controls to combat cyber attacks and emerging threats. This legislation will provide clarity of purpose for those involved in ensuring compliance , and assist senior executives with identifying where their security dollars should be spent and for what desired outcomes.
Written by Alan Mihalic
Cyber Security Advisor