Opinion: One year on, our mandatory data breach laws have failed
- 25 February, 2019 10:07
Anniversaries should be occasions of joyous celebrations of milestones reached – birthdays are such an example. Yet, not all birthdays are a cause to celebrate.
Take the Office of the Australian Information Commissioner (OAIC’s) one-year-old baby, mandatory data breach legislation, a failure that deserves to be toasted.
The laws are a falsehood based on a promise to make changes and act. So far, none of that has eventuated.
Among all the adjectives that could be used to describe the legislation, what is most befitting is to view it as a quarry – landfill comprised only of rubbish of which we are asked to believe it is something other than what it is.
Reflecting on the year since the legislation’s introduction, it’s hard not to argue Australia’s business landscape hasn’t changed, and the change has come in ways wrapped in compelling drama since the Hayne Royal Banking Commission turned the finance sector on its head.
There have been recommendations to overhaul practices of mortgage brokers, scathing criticisms of APRA and ASIC, inferred suggestions for criminal prosecution and the capitulation of some of the sectors biggest guns, theft of our data and private information.
The list becomes a perpetuating damnation of a landscape in demise.
But from all the negatives, opportunity to learn becomes the essence of progression – and if anything, the need to learn becomes a key of necessity to future development.
As observers of our own fate, we have learned a significant number of organisations continue to fail to understand the law and the responsibilities which they are bound.
Recent statistics released by the OAIC tell us more about our fate and the failure of business to understand the law is best represented by the following. Almost 25 per cent of all reported data breaches in 2018 impact only one individual, and 85 per cent of those were an individual’s home address, phone number and or email address.
What flows on from these figures is the observation that although many organisations take data breach laws seriously, the underlying paradox continues to be the inability to genuinely understand the requirement for individuals to face serious harm as a component of the data breach legislation.
Many organisations, with staff exceeding 100 employees, have self-reported data breaches because of sending letters emails to the wrong person. This identifies another glaring error in how the issue is handled, but does it constitute serious harm?
What becomes obviously clear is that a number of organisations, and the big four banks are a perfect example, of who have self-reported numerous times continue to repeat their mistakes and remain unaccountable.
The OAIC is the established watchdog charged with the responsibility of overseeing and reigning in the behaviour of organisations and ensuring our privacy is protected.
But we think of watchdogs as vicious and snarling animals who could strike at any time at the threat of any attack against its masters. Yet what we have with the OAIC is the complete antithesis – a gumless animal incapable of defending the very house it is meant to protect.
And in the past year what has become even more evident than before, the OAIC regardless of the size of an organisation or the size of the data breach, continues to fail to act as it should.
The OAIC stoutly defends its position and recoils in denial when challenged on its poor performance.
But statistical evidence doesn’t lie. In the last year, five data breaches have impacted more than 100,000 people with each breach, and with two of those data breaches, more than 1 million Australians were impacted.
Each time, the OAIC failed in its duty to initiate a commissioner-led investigation.
Furthermore, no organisation has been fined irrespective of the number of data breaches they have been involved in. It’s an interesting conundrum as Australians we find ourselves in, when the designated watchdog charged with protecting our privacy just cowers into hiding.
Security in Depth has reviewed a significant number of Australian businesses and researched the number of organisations who have implemented an incident response plan, when the legislation was first enacted.
The number that did have a response plan in place was 17 per cent - an indication that businesses were ill prepared. But that number has increased to 36 per cent, and yet, what is interesting is that when they were asked if these programs had actually been tested, a stark 9 per cent had an incident response plan had conducted tests to see if they would work.
So has anything changed over the last year and are we now safer and better off because of these new laws? The simple is answer is no.
What is clear is there is an endemic pattern surrounding the failure to understand the laws, they are not strong enough and don’t provide an incentive for organisations to change their policies and procedures.
If the government wants to review lessons learnt then they should look no further than what has been taking place in Europe with the EU General Data Protection Regulation (GDPR) and the EU Cybersecurity Act.
Australia has much to learn if we are to protect one of our key assets – our data and privacy.
Michael Connory is the CEO of Security in Depth.