It took years of discussion and several revisions, but experts believe the long-awaited passage of Australia’s breach notification legislation will kick off a new era of transparency that will rapidly improve understanding of the country’s real cybersecurity threat climate.
The enabling legislation – contained within the Privacy Amendment (Notifiable Data Breaches) Bill 2016 – passed both houses of Parliament after a series of readings since it was first formally introduced to Parliament last October. But the process of authoring, revising and discussing the legislation stretches back several years, with one security executive after another warning that continued inaction was hobbling Australia’s ability to improve its overall cybersecurity posture.
“The weaker breach disclosure laws in Australia have been a factor in the general low priority and complacency around security,” Cisco principal and cybersecurity evangelist Richard Staynings recently warned in reference to his work on data privacy within the often-targeted healthcare industry.
“Australia has really dragged its feet around breach notification requirements, and this has led to a lack of understanding by the general public about what types of information are actually being stolen.”
Introduction of a formal notification regime “is probably the best stick,” says Ray Simpson, Asia-Pacific director of compliance and risk services with security consultancy Trustwave. “There are a lot of breaches that occur on a daily basis but are not necessarily published, and we are in a situation where organisations may feel a bit secure knowing there is going to be no disclosure.”
“We may see a change in that mindset when disclosure is required,” he continues. “It really does drive companies to a whole new level in terms of investing in information security by virtue of the reputational impact from disclosing breaches. That has a positive effect on the market.”
Australia’s slowness in passing breach legislation, which has already been in place for some time in the US and many European countries, has been regularly called out as a systemic deficiency within businesses and government agencies that have been struggling to contain a growing cybersecurity threat.
Recent analysis found that Australia has been leading the APAC region in reported data breaches, even without a mandatory scheme in place. The Office of the Australian Information Commissioner (OAIC), which more than two years ago flagged the importance of notification as part of its published guidelines for handling data breaches, reported receiving just 107 voluntary and 16 mandatory data breach notifications in fiscal 2016.
Rajiv Shah, director of cyber, intelligence and security with BAE Systems, was among the industry experts welcoming passage of the legislation – which, he said in a statement, provides “much needed clarity on the responsibilities of organisations and should kick-start a culture of information sharing needed to defend against cyber criminals. The new laws balance the need for consumers and businesses to know if their data has been compromised by a breach in a timely and clear way, while also not over-burdening organisations.”
Australia has been “a long way behind the curve” when it comes to the transparency that a breach-notification regime provides, Jones Day solicitor Adam Salter previously told CSO Australia, while vendors have variously linked better notification with ancillary requirements such as continuous authentication and better cybersecurity insurance policies.
Some industry figures worried that the disclosure thresholds delineated in the legislation could create confusion within the industry, while Australia’s peak marketing industry association previously warned that the notifications would become “white noise” that consumers would ultimately ignore.
Recent moves to formalise breach reporting have hinted that the legislation’s passage was imminent, with the Australian Signals Directorate (ASD) revamping its best-practice guidance around cybersecurity breaches and the Office of the Australian Information Commissioner (OAIC) recently debuting a portal that includes components for visualising breach reporting.