A year after Australia’s long-fermenting notifiable data breaches (NDB) legislation received royal assent, the new code has today taken effect – hastening in a new era of disclosure obligations that could, depending on whom you talk to, be a major step towards cybersecurity transparency or a damp squib due to purposely vague legislation.
Looking past the surprise resignation of Australian information commissioner Timothy Pilgrim – the long-serving bureaucrat who has survived uncertain agency status to oversee the codification of the NDB scheme and tighter controls – the Office of the Australian Information Commissioner (OAIC) has gone all-in on the NDB, this week releasing a data breach preparation and response guide and clarifying reporting obligations for small businesses.
It has also released guidance about how affected organisations should notify the OAIC of a data breach, with resources about proper processes and wording of statements that must be sent to people whose personally identifiable information (PII) has been compromised.
Industry players have weighed in on the legislation, with IBM Security master inventor Chris Hockings noting the importance of engaging company executives as well as technology staff.
“With the increased accountability of boards to cyber security incidents, an organisation requires a proactive security approach,” he said in a statement. “To meet the obligation of the Privacy Act and to meet customers’ expectations, acting with speed and precision are essential.”
“Boards must encourage technology partnerships with experts that can provide the tools and insight needed for C-level and board members to stay informed and respond effectively…. For [NDB] to be a success requires all businesses to take a renewed approach to managing their security defences, to ensure that personal information is adequately protected.”
That change is proving harder than might be expected, with recent surveys suggesting that as many as 6 in 10 companies still didn’t understand their obligations under the legislation just weeks before it was scheduled to take effect.
Lack of awareness is only one issue: Phil Kernick, founder and CTO at CQR Consulting, recently went on the record warning that the NDB laws “will be among the weakest of any in the world”.
“Once the dust settles, it will become clear that they will impose little to no pressure on businesses to change the way they currently protect personal data,” he said, noting that the wording of the regulations leaves it up to companies to decide whether “serious harm” has occurred. “If the company decides the serious harm bar has not been exceeded, it doesn’t have to take any action at all.”
“History shows that even companies that experience a high-profile breach tend to suffer little or no long-term negative effect on their brand or operations,” he continued. “As a result, there has been little incentive for businesses to increase their security budgets to ensure proper protection of personal data…. This is what needs to be achieved by effective data breach regulations. They should internalise the cost of a data breach so that the option of doing nothing becomes an expensive one to take.”
Outside assessments of organisations’ true risk vulnerabilities are of course a matter of how many breaches are disclosed – and Trend Micro, for one, noted with interest in its 2017 Annual Security Roundup that the number of data breaches disclosed in 2017 actually fell by 32 percent from 2016 – from 813 disclosures to just 553 – despite pressure to increase their frequency.
The dip “seems to be a prelude to” European Union general data breach regulation (GDPR) that comes into effect in May – and about which the OAIC has also offered guidance – the firm’s analysis concluded.
“GDPR will have rigid compliance standards pertaining to data breach notifications. Steep penalties also await enterprises in the event of their failure to act in accordance with the regulation…. [and] though the motives for breaking into enterprises’ databases and systems vary, the methods continue to revolve around tried and tested practices.”
Trend Micro has also warned about likely extortion attempts as criminals calculate what a company’s exposure would be under GDPR, then demand a somewhat smaller ransom to avoid disclosure of stolen data.
The latest report “reveals a threat landscape as volatile as anything we’ve seen, with cybercriminals increasingly finding they’re able to gain more — whether it’s money or data or reputation damage — by strategically targeting companies’ most valuable assets,” Trend Micro director and data scientist Dr Jon Oliver said in a statement.
“In Australia we’re likely to see the number of reported breaches double this year, improving not only organisations’ transparency and compliance to NDB legislation changes but also minimising the value of the data criminals have access to.”
Coming soon... CSO’s microsite.