Weak breach data disclosure laws for IP theft leaves vital Australian industries vulnerable
Intellectual Property (IP) theft allegedly carried out by foreign nations on behalf of foreign companies is rampant across swaths of Australian industries. However, due to the existing Notifiable Data Breach (NDB) legislation, Australian organisations only need to notify the OAIC about a data breach pertaining to personal information but not to other sensitive data, such as IP.
This loophole is leaving crucial Australian industries, including agriculture, oil - gas, mining, logistics, and education, vulnerable when it comes to future data breaches, given the blind spots into past hacks, says new commentary coming from cybersecurity leader Infoblox. The company has seen unprecedented levels of demand for cyber protection from companies outside of the Critical Infrastructure Act who have discovered security events and those who fear falling victim to IP theft.
IP theft is a big deal, and we are seeing more and more serious cases of it. There have already been instances where foreign companies using stolen Australian IP underbid Australian organisations to win projects. We, along with the cybersecurity sector and industry bodies, are calling for the government to apply the Security of Critical Infrastructure Act to more industries and to mandate notification for breaches of all sensitive data, which would bolster defences across the board.
Currently, the Federal Government has little to no visibility of this area because, under the existing Notifiable Data Breach (NDB) scheme, organisations must only notify the OAIC about an eligible data breach if the breach is related to personal information. This does not cover IP, so companies don't even report breaches. Likewise, if the company falls outside the Critical Infrastructure Act, it may not have to report or release its data on hacks.
This means the Federal Government has no idea, and no way of knowing, how big this problem really is. Naturally, companies don't want to talk about breaches because it's embarrassing for them, and it's not mandated, so they don't have to. This is leading to a big problem in learning how to address attacks – something many industries face together. Visibility of the problem is paramount to addressing it.
Another example is that there has been a huge increase in the level of hacking attempts targeting research departments of Universities, trying to steal hard-earned knowledge for commercial purposes.
The problem goes even deeper when considering the lack of robust deterrents to ensure mandatory data breach reporting actually happens. By global standards, Australia has some of the lowest non-compliance fines in the Western world. Most fines are around the AUD$500,000 mark, with a maximum fine as of last year being just AUD$10 million. Small when considering the huge amounts of money flowing through our big banks, mining companies, telcos and pharmas, and nowhere near the USD$5 billion paid by Facebook or the £183 million (AUD$318 million) paid by British Airways in the UK in 2019.
According to a 2019 report, of the 964 notifications that were made to the Office of the Australian Information Commissioner (OAIC) under the mandatory notifiable data breach scheme between April 2018 and March 2019, not one received a fine.
It begs the question: when organisations see breach disclosure as significantly negatively impacting the reputation of their business, how much of a disincentive are the existing non-disclosure fines, even at the now marginally higher level than last year?
With tense trading relations between Australia and overseas nations such as China, overtly calling out IP theft breach of bilateral cyber espionage agreements could make mending diplomatic relations even more difficult. Addressing these issues on home soil and bringing them under the wing of the Security of Critical Infrastructure Act and the Notifiable Data Breach (NDB) legislation is more important than ever.