It’s not that long since I wrote a blog post bemoaning Australia’s privacy laws as ‘toothless tigers’, pointing to our country’s lack of mandatory disclosure legislation as an ongoing challenge for information security. As such, I welcome Home Affairs Minister Brendan O’Connor’s recent announcement that disclosure and privacy reforms could be fast-tracked - if the department was presented with evidence that enterprise information security was inadequate. For all that, I’ll be keeping the bubbly on ice for the time being...
While I do welcome the prospect of reforms that feel like they’ve been in the discussion stages forever finally seeing the light of day, you have to question the adequacy of a process that calls on those with the most to lose to own up to their failings so you can expedite the process by which they’ll be penalised.
The Australian Law Reform Commission first published its recommendations for data breach notification legislation back in 2008. And with public consultation for the privacy reforms ending on November 3rd, it’s hard not to be cynical and wonder whether we’re looking at another long period of talk with little in the way of action. Meanwhile, SC Magazine reports that security specialists claim the scale of Australia’s data theft problem goes well beyond anything our government or even the local media know about.
Australians were first asked to consider whether privacy was a legal right back in 1937. On that occasion, Chief Justice Latham said that “Any person is entitled to look over the plaintiff’s fence and to see what goes on in the plaintiff’s land. If the plaintiff desires to prevent this, the plaintiff can erect a higher fence.”
All well and good when few homes had even a telephone, but in a digital age, it’s increasingly difficult for individuals to erect higher fences around all the personal data they’re obliged to submit for even the simplest of day-to-day tasks. Financial services verification routinely involves the furnishing of further identifying details, from passports to driving licences, place of work, payroll numbers, even your mother’s maiden name. And while logic says the onus for building adequate fencing around that data lies with the organisation that holds it, the law suggests otherwise – and the absence of any clear mandatory penalty underlines a highly unsatisfactory state of play.
While we’ve been strolling towards a solution, it’s not only technology that’s outstripping us; other countries and regions such as the EU and US have implemented some major changes in recent years, where prompt responses and fines for data breaches are the standard minimum requirement to keep organisations of all kinds on their toes.
Data breaches are, sadly, inevitable. It’s impossible to prevent an employee from accidentally leaving sensitive paperwork on public transport, for example. But there are still some practical solutions. In the first instance, it’s important that legislation is in place; after that, it’s ultimately up to businesses to take responsibility for themselves by taking practical steps to educate employees and create visible security across the organisation. Businesses should apply visible security strategies, informing users of policies, using tools to remind staff of what constitutes a breach and enabling managers to get a better handle on their data and where it is.
Businesses in Australia are playing their part, but more certainly needs to be done when it comes to legislation and education. As of April this year, twice as many breaches were reported compared to 2010. The law needs to be reinforced and reviewed to accelerate post-breach actions so that companies can take responsibility and put solutions in place. The time for talk has passed.
Phil Vasic is Regional Director, APAC, at software security company Clearswift.