It’s unlikely 2011 will go down in history as a great year for information security. The year is barely half over but already we have witnessed some of the largest hacking attacks since the advent of computing. So far, media organisations, game companies, banks and governments have all been the targets of largescale attacks by international hackers, with big name brands like Sega, Nintendo and Citigroup, as well as large public organisations like the CIA and the Malaysian government, all suffering cyber attacks in recent months.
In late April, Sony Entertainment’s PlayStation online gaming network was the target of perhaps the largest hacking attack in history, compromising the details of as many as 100 million customers. Closer to home, Australian telecommunications company Vodafone was the subject of an inquiry by the Privacy Commissioner, Timothy Pilgrim, after an alleged security breach.
Even the security providers themselves are not immune. In March, information about RSA’s SecurID authentication tokens — which are used by many of Australia’s largest banks and government agencies — was stolen in what the company described as an “extremely sophisticated cyber attack”.
Read more about security in CIO’s 2011 Global State of Information Security Survey.
In RSA’s case, the company was the victim of an ‘advanced persistent threat’ (APT) attack, a complex cyberattack which usually requires knowledge of a company’s network, employees and various inner workings.
But data breaches don’t have to be sophisticated to cause severe, costly damage to a company’s business or brand. Low-tech causes such as simple human error or disgruntled employees are responsible for many data breaches, a risk that continues to rise as portable devices such as USB sticks, laptops, tablets and smartphones, which are easily lost or stolen, spread rapidly throughout organisations. In June, for example, the Australian Institute for Company Directors (AICD), a high-profile peer organisation for local company directors, warned members to be alert for identity fraud after announcing a laptop was stolen from its offices during a power outage.
According to research conducted by Symantec and the Ponemon Institute, the average cost of significant data breaches reported by Australian organisations was about $2 million in 2010. It is only the tip of a very large iceberg, however. Once news of the breach at Sony reached investors, for example, the company lost about $2 billion in market capitalisation overnight. Numbers like that are enough to keep any CIO awake at night.
The legislative landscape
The European Union and Canada have laws requiring mandatory disclosure and notification of a data breach, as do most US states. Australia, however, has no such requirement — at least not yet.
In August 2008 the Australian Law Reform Commission tabled ALRC Report 108, Australian Privacy Law and Practice, which represents the culmination of a 28-month inquiry into the Privacy Act and related laws. The result is a three-volume report containing 74 chapters and 295 recommendations for reform. Despite a multitude of recommendations, including calls for mandatory notification of data breaches, the proposed changes have languished in limbo for nearly four years. In fact, Australia’s Privacy Commissioner was effectively demoted last November when the role was folded into the office of the Australian Information Commissioner, a move that privacy advocates view as an unfortunate indicator of the poor status privacy issues have among local regulatory bodies.
“One can only guess about the reasons for the delay in implementing these recommendations, but the government doesn’t appear to think privacy issues need to be resolved with any sense of urgency,” says David Vaile, executive director of the Cyberspace Law and Policy Centre at the University of NSW, which contributed several submissions to the ALRC report.
“It’s a pity this is the situation, because social networking and Cloud computing are making personal information security issues more critical than ever,” Vaile says.
“There are many areas where this failure to implement the proposals from the ALRC 108 report is detrimental, particularly in e-health, where these kind of policy problems have serious ramifications.”
Australian law might be weak in the area of data breach notification but that doesn’t mean local CIOs should feel secure that news of a breach at their organisation won’t go public. Modern commerce doesn’t recognise borders, and if an Australian company does business worldwide there’s a good chance it will be subject to mandatory disclosure legislation in another country. Information about breaches has also been known to be provided to the media by affected customers or leaked by disaffected employees.
The fact is, Australian companies risk public disclosure if they lose personally identifiable information — whether regulators force them to or not. And if that happens they are likely to suffer a catastrophic fall from grace with their customers.