With the recent passing of mandatory data notification laws through the Senate, Australia is poised for a new dawn of accountability, transparency, and cyber knowledge sharing. Until now, it has been too easy for Australian organisations to indulge in denial, preferring to keep data breaches quiet for fear of damage to reputation, which erodes consumer trust and often results in costly litigation. This approach has not only placed short term business imperatives above the concerns and needs of their customers, but it has also impeded the effective sharing of threat intelligence that can collectively make all organisations more secure.
Under the mandatory data breach notification laws, in cases where an organisation suspects a data breach has taken place, it must now undertake an assessment into the circumstances within 30 days to determine whether or not it has occurred, and therefore whether it needs to notify the Office of the Australian Information Commissioner (OAIC). The legislation covers government agencies and organisations governed by the Privacy Act, which means that state government organisations and local councils, plus organisations with a turnover of less than $3 million a year, do not need to comply with the legislation.
The legislation gives the government a year to pick a date, otherwise the law will kick in 12 months from when it receives royal assent from the governor-general.
In 2016, the OAIC received just 107 voluntary data breach notifications –most of which were from government bodies - a number which is expected to skyrocket with the recent passing of the Notifiable Data Breaches Bill by the Senate.
This legislation provides much needed clarity on the responsibilities of businesses in the disclosure of data breaches to the OAIC, and will in turn diminish tendencies to evade the problem, kick-starting a culture of information sharing needed to better defend against cyber criminals.
With the death of denial, these laws will reduce confusion around when and what to disclose, build trust with the Australian public, build knowledge around cyber-adversaries, and set an example to small businesses that fall outside of the legislation.
No ‘grey area’
Disclosure in a timely manner is often perceived as a confusing task by Australian businesses. There is a legitimate need to balance the risks of disclosing too early, when accurate information on the nature and impact of the breach may not be available, against undue delay that may leave customers exposed longer than necessary.
Unfortunately, without regulation to set a time limit for notification, it can be too easy for companies to keep putting off making any notification. In recent times there have been notable examples of companies such as Yahoo and CatchoftheDay sitting on a serious data breach for years before telling customers.
The Notifiable Data Breaches Bill will drastically reduce or remove any ‘grey area’ where organisations don’t have clarity on the appropriate steps to deal with a data breach, by outlining the minimum standards and procedures that businesses must follow when they experience breaches, and a clear 30 day limit for implementing these.
Transparency drives trust
There’s a significant trust benefit to be gained from mandatory notification.
These new laws balance the need for consumers and businesses to know if their data has been compromised by a breach in a timely and clear way, while also not over-burdening businesses with heavy compliance requirements. Ultimately, what we have is a well-balanced privacy framework which provides a more transparent environment for Australians to entrust their personal information to organisations.
By preserving public confidence and participation in the digital economy, the nation will continue to benefit from the associated economic growth.
Smarter about our cyber-adversaries
We have always encouraged organisations to voluntarily share intelligence on successful, and indeed unsuccessful, attacks, in order to build better knowledge and data on the cyber threat landscape.
Attacks are being conducted by increasingly well-resourced and skilled criminals. With a higher level of disclosure and information sharing between Australian businesses, our knowledge of cyber-adversaries who target Australia will continue to grow – particularly for sophisticated adversaries – and we’ll see cyber-defence and cyber-security capabilities improve.
Set an example to small businesses
Entities already exempt from the operation of the Privacy Act in whole or in part, including most small businesses, will continue to be so. However, there is nothing stopping small businesses from notifying the OAIC should they experience a data breach and we encourage them to do so. In an environment where data breach notification is the norm, this will allow them to build trust with their customers and learn from the experiences of others, without the fear of standing out from the crowd.
The passing of the Notifiable Data Breaches Bill shows clear leadership from the Australian Government, in the protection of customers, better sharing of threat knowledge and lessons learnt, and removal of the easy option of denial. This leadership will act as a clear signal to boards that cybersecurity is a business risk that requires their attention.
All organisations should ensure they have a clear view of their information assets, and their potential cyber risks. This in turn should inform appropriate protection and monitoring of networks. Now is the time to ensure that businesses have a robust cyber incident response plan in line with the new laws, so they know who to call and how to react when there is a security breach.