A VISITING security and privacy expert has put the lack of major data breaches reported in Australia down to one cause: lack of breach notification laws.
The Federal Government this week tabled the Australian Law Reform Commission’s (ALRC) report into privacy, which includes a recommendation that it be mandatory to report “sufficiently serious” data breaches.
However, special minister of state Senator John Faulkner – who has responsibility for privacy policy along with Attorney-General Robert McClelland – said they would consider data breach rules only after dealing with other aspects of the report, including unified privacy principles, health and credit reporting. The Government expects to legislate on this first stage within 18 months.
Adel Melek, Deloitte’s global head of security and privacy, said that if organisations are required to report breaches in Australia, it will likely uncover levels of data loss or theft equivalent to that overseas.
“All of a sudden people are waking up to these things. The threat level has massively changed everywhere, to some degree there is an increased level of sophistication [of attacks], and the degree of connectivity has also contributed to this,” he said.
“But the reality is, when there is no mandatory law that forces organisations to notify customers and to publicly indicate that they have experienced a breach, it is really left to the discretion of the organisation and the executive.”
ALRC president, Professor David Weisbrot, said it is highly likely there is “under-reporting” of breaches in Australia.
But in its report: For your information: Australian Privacy Law and Practice, the ALRC recommends breach reporting only where there is a “risk of serious harm” to the individuals concerned to avoid imposing a significant compliance burden for minor breaches, and the dangers of ‘notification fatigue’, where it becomes difficult to determine which breaches are serious enough to cause harm.
The ALRC said the Office of the Privacy Commissioner should develop guidelines to help organisations determine what constitutes a serious breach and the likelihood that it will result in identity fraud, in conjunction with other agencies such as the Australian Federal Police.
Senator Falkner said the data breach rules, along with exemptions in the privacy regime, would be addressed later due to the “complexity and sensitivity of these questions”. He said “it makes more sense to consider them after the first stage of the, if you like, building blocks [of the privacy laws] have been dealt with”.
Tommy Viljoen, another Deloitte partner, said before such laws come into place, organisations needed to concentrate more on setting and enforcing security policies, and particularly how the information is shared with third parties, instead of just securing the technology itself.
In two major cases in the UK, millions of personal records were lost after they were sent by courier and unregistered mail.
“I think there needs to be a mind shift between the traditional thinking of how we secure our systems and focusing on information security and securing the data. I think there has been far too much concentration on the systems and applications and not thinking enough about information management,” Viljoen said.
“[Companies] need to look at having an overall security management framework that covers the lifecycle of the information. That includes providing people with awareness training, having the appropriate policies in place, standards and then the technology to help prevent the leakage of data.
“There has been a lot of effort put into putting up a fence, but the fact that people walk through the gate daily and take things with them is not where the focus has been,” Viljoen said.
A recent survey of 208 IT managers by IT company Clearswift found 48 per cent believe their annual IT spend would increase by 10 per cent with the introduction of data breach notification laws.
Only 28 per cent were opposed to such laws, but 96 per cent didn’t think the public should be informed if a data breach occurred.
Shaun Drummond