Companies will struggle to comply with the Federal Government’s mandatory data breach notification proposals unless detailed guidance is developed and consultation processes with the Privacy Commissioner are introduced, to help them determine whether they have a notification obligation, says an IT security expert from global consulting firm, Protiviti.
In its submission to the Federal Government’s consultation on the draft Bill requiring organisations to notify affected individuals and the Privacy Commissioner where they have been hit by a serious data security breach, Protiviti observed that unlike the European Union and United States, where an entity’s notification obligations are clearly defined, Australia’s draft legislation introduces sketchier concepts that could require organisations to make subjective judgement calls.
Specifically, the draft Bill requires entities to decide whether there are ‘reasonable grounds’ to believe a ‘serious data breach’ has occurred resulting in a ‘real risk of serious harm’ to affected individuals, before their notification obligation is triggered.
According to Ewen Ferguson, managing director at Protiviti, it will often be difficult for entities to judge whether all these thresholds are met. “After all, there’s a wide spectrum of circumstances in which a data breach can occur, ranging from an employee losing a laptop containing a limited amount of non-financial personal information, to a large scale malicious theft of credit card details. There will always be a multitude of factors at play and the outcome will not always be straightforward”, Mr Ferguson said.
“What’s more, in many cases it will not be clear who has acquired the data, and how or for what purposes the data was compromised, making it difficult for companies to gauge the severity and impact of the breach”.
Mr Ferguson explained that because the draft laws establish a ‘self-assessment’ regime, whenever the facts are ‘borderline’ or where a case for non-disclosure is at least arguable, it is more than likely that organisations will decide not to notify to avoid the reputational impact of public scrutiny. “The danger of a regime that encourages entities to ‘err on the side of non-disclosure’ is that it may not adequately protect the individuals affected by data breaches, as potentially ‘serious’ breaches may go unreported”.
Protiviti has recommended this concern be addressed in two ways.
“Firstly, to help organisations to accurately ‘self-assess’ their notification obligations, it’s essential that the Commissioner issue detailed criteria and case-study style guidance on how these concepts might operate in practice,” Mr Ferguson said.
“Secondly, there must be an avenue for entities to approach the Commissioner’s office for prompt, in-confidence advice on whether their notification obligations apply in cases where the outcome is unclear. This may be established as an administrative process by the Commissioner’s Office or formally in legislation similar to the way federal tax laws allow taxpayers to apply to the Australian Taxation Office for a binding ‘ruling’ on how the tax law applies to their circumstances.
“In any event, the process must be an expedited one where the Commissioner commits to making a prompt determination. Time is critical where data breaches are concerned and the process should not unduly prejudice an individual’s ability to take swift action to protect their interests where their data has been compromised,” Mr Ferguson added.
In its submission, Protiviti also expressed concerns that the proposed breach notification scheme may not encourage significant numbers of organisations to improve their data security in view of the light penalties for non-compliance.
“Despite the increasing incidence of cyber-attacks and existing fines of up to $1.7 million for breaches of the Privacy Act, many entities still do not have adequate controls to prevent or detect data breaches”, Mr Ferguson explained. “The cost for medium and large companies to upgrade information security practices to the standard required to identify a breach or reduce the likelihood of one occurring, could outweigh the maximum penalty of $1.7 million proposed by the breach notification laws. This may predispose some companies to run the risk of incurring a data breach because the quantifiable penalties are relatively insignificant.
“Many companies continue to step up their data security for ethical and reputational reasons anyway, irrespective of the penalty, because it is the ‘right thing to do’. However, for the few who don’t, a stiff penalty may well be the only effective wake-up call.
“If one of the key objectives of the proposed data notification laws is to encourage entities to take greater preventative measures to secure personal data, then the penalties for non-compliance under both the current Privacy Act and the proposed breach notification Bill, must be raised to a level that makes the cost of taking preventative action worthwhile, for the minority of companies that won’t choose to do the right thing,” Mr Ferguson said.
Examples of indicative benchmarks from other jurisdictions include the European Union’s new General Data Protection Regulation which imposes a fine of up to 4 per cent of global annual turnover, while Californian law permits affected parties to take civil action including class actions.
Submissions to the Federal Government’s consultation on the exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill, close today.
For further information contact Su Lin Ho on 02 9283 4110 or Viv Hardy on 02 9283 4113
About Protiviti Protiviti (http://www.protiviti.com.au/) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through its network of more than 70 offices in over 20 countries, Protiviti has served more than 35 percent of FORTUNE 1000® and FORTUNE Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Hunting for Hackers - Why Preventive Measures are Only Part of the Cyber Solution, Duncan Alderson, Senior Manager, Cyber & Forensics, PwC Australia | IDG Security Day
Interview with David Sykes, Business Leader, Sophos | IDG Security Day
Showreel | IDG Security Day conference, 21st June
Tools of the Trade: A Live Hacking Demonstration - Ty Miller, Director, Threat Intelligence | IDG Security Day
Publisher's Panel - Using AI for next-generation Cyber Security | IDG Security Day