Home Security Data breach law will not change status quo: claim

Data breach law will not change status quo: claim

Data breach law will not change status quo: claim Featured

Australia's data breach law, which takes effect on 22 February, will be among the weakest in the world and is unlikely to impose any pressure on businesses to change the way they protect personal data at the moment, the founder and chief technology officer of a cyber security consulting firm claims.

Phil Kernick of CQR Consulting (below, right) told iTWire that he was not saying the law was pointless. "There is clearly a need for protection of personal data held by businesses," he said. "The problems arise from the fact that the laws don't effectively internalise the costs that result when a data breach occurs."

Breaches of the law, as far as failing to notify those affected by a breach, will attract fines of up to $360,000 for individuals and $1.8 million for organisations. Insufficient care of the data in question, if proved, could attract further fines. Only organisations with revenue of more than $3 million are covered.

Kernick said when a breach that resulted in the loss of personal customer data took place, there was an external cost borne by the victims.

"This cost can range from mild inconvenience for those affected, such as the need for a new credit card, to larger costs like reputational and financial damage," he pointed out.

"For the business itself, however, there is often little more than a short-term reputational loss that occurs. History shows that even companies that experience a high-profile breach tend to suffer little or no long-term negative effect on their brand or operations. Even dating site Ashley Madison continues to flourish following a massive data breach back in 2015."

phil kernick cqr consulting bigAs a result, he said, there had been little incentive for businesses to increase their security budgets to ensure proper protection of personal data – the associated costs had not been internalised.

"This is what needs to be achieved by effective data breach regulations. They should internalise the cost of a data breach so that the option of doing nothing becomes an expensive one to take."

Asked about the costs that a business would suffer due to class action suits following a breach and whether that would not act as an incentive to have better security, Kernick responded: "It's possible, but not probable. We aren¹t as litigious as other countries, and given the Privacy Act already defines the process and penalties, it's hard to see the Federal Court hearing such an action."

He said that under the new law, any business affected by a data breach was responsible for deciding whether "serious harm" was likely to occur to any person whose data had been compromised.

"If the company decides the serious harm bar has not been exceeded, it doesn't have to take any action as all. So, a company could simply decide that having a customer's personal contact details out on the Internet will not result in serious harm to them - and that's the end of it," he said.

"There is nothing to compel them to take any other steps. In fact, if you look at data breaches that have already occurred in Australia, it is hard to find one where the 'serious harm' definition would actually have come into play. Clearly these new rules need to be toughened up.

"If a business does decide that serious harm could occur to individuals who have had their personal data stolen, all that the management has to do is provide a statutory notification to the Privacy Commissioner who may then determine that all that's required is the posting of that declaration on its website."

Asked why the government had set the bar so low that in effect it was a case of the fox watching the hen house, Kernick pointed to a clause in the privacy law: "In order not to impose an unreasonable compliance burden on APP entities and to avoid the risk of notification fatigue among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement."

His interpretation of that was, "reading between the lines, the ALRC (Australian Law Reform Commission) seems to believe that there are going to be a lot of data breaches. The serious harm threshold will be set by common law, so expect that there will be cases intended to set exactly this bar."

As to how the law could be strengthened so that it would be more meaningful, Kernick said first, the responsibility for determining whether the serious harm bar had been exceeded should be shifted from the affected company to the Privacy Commissioner.

Then there should be a a provision included that stipulated whenever a data breach occurred, the business was obliged to contact every customer and let them know about the incident, whether it met the definition of serious harm or not. This would mean a cost for the business which would encourage them to strengthen security ahead of time.

"The Australian Government should also look closely at the privacy regulations now in place in other parts of the world," Kernick recommended. "For example, the General Data Protection Regulation rules in the European Union (which come into force in May this year) provide the ability to levy fines equivalent to 4% of a company's annual turnover."

He said if such rules existed in in Australia it would mean a change in the rules of the game.

"These extra steps need to be taken as soon as possible to internalise the costs of data breaches and ensure that businesses in Australia are taking all the steps required to effectively secure the personal data they are storing," Kernick added. "Doing nothing means the burden unfairly remains with affected individuals rather than the businesses that have been careless with their data."

When it was suggested that the law was more of band-aid to cover for the fact that Australia has no data breach law and to pacify trading partners and the public, Kernick took a more moderate tone.

"It¹s a good start. We are slow to the party but at least we are now there," he conceded. "The opportunity exists to strengthen the regulations going forward. "Remember there are still large carve-outs in the Privacy Act. State governments and local councils, which hold vast amounts of personal information, are currently exempt."

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

RECOVERING FROM RANSOMWARE

Ransomware is a type of malware that blocks access to your files and systems until you pay a ransom.

The first example of ransomware happened on September 5, 2013, when Cryptolocker was unleashed.

It quickly affected many systems with hackers requiring users to pay money for the decryption keys.

Find out how one company used backup and cloud storage software to protect their company’s PCs and recovered all of their systems after a ransomware strike.

DOWNLOAD THE REPORT!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications