Companies will struggle to comply with the Federal Government’s mandatory data breach notification proposals unless detailed guidance is developed and consultation processes with the Privacy Commissioner are introduced, to help them determine whether they have a notification obligation, says an IT security expert from global consulting firm, Protiviti.
In its submission to the Federal Government’s consultation on the draft Bill requiring organisations to notify affected individuals and the Privacy Commissioner where they have been hit by a serious data security breach, Protiviti observed that unlike the European Union and United States, where an entity’s notification obligations are clearly defined, Australia’s draft legislation introduces sketchier concepts that could require organisations to make subjective judgement calls.
Specifically, the draft Bill requires entities to decide whether there are ‘reasonable grounds’ to believe a ‘serious data breach’ has occurred resulting in a ‘real risk of serious harm’ to affected individuals, before their notification obligation is triggered.
According to Ewen Ferguson, managing director at Protiviti, it will often be difficult for entities to judge whether all these thresholds are met. “After all, there’s a wide spectrum of circumstances in which a data breach can occur, ranging from an employee losing a laptop containing a limited amount of non-financial personal information, to a large scale malicious theft of credit card details. There will always be a multitude of factors at play and the outcome will not always be straightforward”, Mr Ferguson said.
“What’s more, in many cases it will not be clear who has acquired the data, and how or for what purposes the data was compromised, making it difficult for companies to gauge the severity and impact of the breach”.
Mr Ferguson explained that because the draft laws establish a ‘self-assessment’ regime, whenever the facts are ‘borderline’ or where a case for non-disclosure is at least arguable, it is more than likely that organisations will decide not to notify to avoid the reputational impact of public scrutiny. “The danger of a regime that encourages entities to ‘err on the side of non-disclosure’ is that it may not adequately protect the individuals affected by data breaches, as potentially ‘serious’ breaches may go unreported”.
Protiviti has recommended this concern be addressed in two ways.
“Firstly, to help organisations to accurately ‘self-assess’ their notification obligations, it’s essential that the Commissioner issue detailed criteria and case-study style guidance on how these concepts might operate in practice,” Mr Ferguson said.
“Secondly, there must be an avenue for entities to approach the Commissioner’s office for prompt, in-confidence advice on whether their notification obligations apply in cases where the outcome is unclear. This may be established as an administrative process by the Commissioner’s Office or formally in legislation similar to the way federal tax laws allow taxpayers to apply to the Australian Taxation Office for a binding ‘ruling’ on how the tax law applies to their circumstances.
“In any event, the process must be an expedited one where the Commissioner commits to making a prompt determination. Time is critical where data breaches are concerned and the process should not unduly prejudice an individual’s ability to take swift action to protect their interests where their data has been compromised,” Mr Ferguson added.
In its submission, Protiviti also expressed concerns that the proposed breach notification scheme may not encourage significant numbers of organisations to improve their data security in view of the light penalties for non-compliance.
“Despite the increasing incidence of cyber-attacks and existing fines of up to $1.7 million for breaches of the Privacy Act, many entities still do not have adequate controls to prevent or detect data breaches”, Mr Ferguson explained. “The cost for medium and large companies to upgrade information security practices to the standard required to identify a breach or reduce the likelihood of one occurring, could outweigh the maximum penalty of $1.7 million proposed by the breach notification laws. This may predispose some companies to run the risk of incurring a data breach because the quantifiable penalties are relatively insignificant.
“Many companies continue to step up their data security for ethical and reputational reasons anyway, irrespective of the penalty, because it is the ‘right thing to do’. However, for the few who don’t, a stiff penalty may well be the only effective wake-up call.
“If one of the key objectives of the proposed data notification laws is to encourage entities to take greater preventative measures to secure personal data, then the penalties for non-compliance under both the current Privacy Act and the proposed breach notification Bill, must be raised to a level that makes the cost of taking preventative action worthwhile, for the minority of companies that won’t choose to do the right thing,” Mr Ferguson said.
Examples of indicative benchmarks from other jurisdictions include the European Union’s new General Data Protection Regulation which imposes a fine of up to 4 per cent of global annual turnover, while Californian law permits affected parties to take civil action including class actions.
Submissions to the Federal Government’s consultation on the exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill, close today.
For further information contact Su Lin Ho on 02 9283 4110 or Viv Hardy on 02 9283 4113
About Protiviti Protiviti (http://www.protiviti.com.au/) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through its network of more than 70 offices in over 20 countries, Protiviti has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint
Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.
Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation
CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)
Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana