Story image

Govt's data breach bill will unleash confusion, says expert

07 Mar 2016

Australian organisations will struggle to comply with the Federal Government’s mandatory data breach notification proposals, according to consulting firm Protivity.

The company says unless detailed guidance is developed and consultation processes with the Privacy Commissioner are introduced to businesses determine whether they have a notification obligation, there will be compliance confusion.

In its submission to the Federal Government’s consultation on the draft Bill requiring organisations to notify affected individuals and the Privacy Commissioner where they have been hit by a serious data security breach, Protiviti observed that unlike the European Union and United States, where an entity’s notification obligations are clearly defined, Australia’s draft legislation introduces sketchier concepts that could require organisations to make subjective judgement calls.

Specifically, Protivity says the draft Bill requires entities to decide whether there are ‘reasonable grounds’ to believe a ‘serious data breach’ has occurred resulting in a ‘real risk of serious harm’ to affected individuals, before their notification obligation is triggered. 

According to Ewen Ferguson, managing director at Protiviti, it will often be difficult for entities to judge whether all these thresholds are met. 

“After all, there’s a wide spectrum of circumstances in which a data breach can occur, ranging from an employee losing a laptop containing a limited amount of non-financial personal information, to a large scale malicious theft of credit card details,” says Ferguson.

“There will always be a multitude of factors at play and the outcome will not always be straightforward,” he says.

“What’s more, in many cases it will not be clear who has acquired the data, and how or for what purposes the data was compromised, making it difficult for companies to gauge the severity and impact of the breach,” Ferguson explains.

Ferguson says that because the draft laws establish a ‘self-assessment’ regime, whenever the facts are ‘borderline’ or where a case for non-disclosure is at least arguable, it is more than likely that organisations will decide not to notify to avoid the reputational impact of public scrutiny. 

“The danger of a regime that encourages entities to ‘err on the side of non-disclosure’ is that it may not adequately protect the individuals affected by data breaches, as potentially ‘serious’ breaches may go unreported,” he explains.

Ferguson says this concern be addressed in two ways.

“Firstly, to help organisations to accurately ‘self-assess’ their notification obligations, it’s essential that the Commissioner issue detailed criteria and case-study style guidance on how these concepts might operate in practice,” he says.

“Secondly, there must be an avenue for entities to approach the Commissioner’s office for prompt, in-confidence advice on whether their notification obligations apply in cases where the outcome is unclear.

“This may be established as an administrative process by the Commissioner’s Office or formally in legislation similar to the way federal tax laws allow taxpayers to apply to the Australian Taxation Office for a binding ‘ruling’ on how the tax law applies to their circumstances,” says Ferguson.

“In any event, the process must be an expedited one where the Commissioner commits to making a prompt determination,” he continues.

“Time is critical where data breaches are concerned and the process should not unduly prejudice an individual’s ability to take swift action to protect their interests where their data has been compromised,” Ferguson adds.

In its submission, Protiviti also expressed concerns that the proposed breach notification scheme may not encourage significant numbers of organisations to improve their data security in view of the light penalties for non-compliance.

“Despite the increasing incidence of cyber-attacks and existing fines of up to $1.7 million for breaches of the Privacy Act, many entities still do not have adequate controls to prevent or detect data breaches”, Ferguson explains.

“The cost for medium and large companies to upgrade information security practices to the standard required to identify a breach or reduce the likelihood of one occurring, could outweigh the maximum penalty of $1.7 million proposed by the breach notification laws,” he says.

“This may predispose some companies to run the risk of incurring a data breach because the quantifiable penalties are relatively insignificant. 

“Many companies continue to step up their data security for ethical and reputational reasons anyway, irrespective of the penalty, because it is the ‘right thing to do’.

“However, for the few who don’t, a stiff penalty may well be the only effective wake-up call,” Ferguson says.

"If one of the key objectives of the proposed data notification laws is to encourage entities to take greater preventative measures to secure personal data, then the penalties for non-compliance under both the current Privacy Act and the proposed breach notification Bill, must be raised to a level that makes the cost of taking preventative action worthwhile, for the minority of companies that won’t choose to do the right thing,” he explains.

Examples of indicative benchmarks from other jurisdictions include the European Union’s new General Data Protection Regulation which imposes a fine of up to 4% of global annual turnover, while Californian law permits affected parties to take civil action including class actions.

Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.
New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.