The Australian Notifiable Data Breaches scheme comes into effect this week — a new set of rules that will force businesses to be more honest with consumers.
But, with the scheme about to commence, critics argue the laws have serious shortcomings for both consumers and businesses, and Australia may have missed a golden opportunity to become a world leader in the area.
At a reading of the bill in parliament in 2016, government senator Michael Fayat explained, “This bill will improve the privacy protection of Australians in the event of a data breach without placing an unreasonable regulatory burden on business.”
- WHICH-50 Reader Survey: Help us improve Which-50 by taking our annual reader survey. You can also win prizes including Google Home, Google Home Mini, Kindle Paperwhite, Beats by Dre Headphones, or Philips Hue Smart Lights.
The Office of the Australian Information Commissioner (OAIC) will be presiding over the scheme and an OAIC spokesperson told Which-50 the scheme “formalises a long-standing community expectation for transparency when a data breach occurs”, citing a 2017 survey which revealed that 94 per cent of people said they should be told if a business loses their personal information.
The new scheme means notifications are required if there is unauthorised access to customer data which is “likely to result in serious harm”. These terms have both customer and business advocates perturbed, but for different reasons.
The CEO of the Association for Data-Driven Marketers and Advertising (ADMA), Jodie Sangster, told Which-50 the legislation is too vague and fails to clearly define when notification is required.
“It’s going to be a challenge for businesses to know when they are required to go out and inform customers and when they are not actually under an obligation to do so.”
These terms and the consequences of failing to comply — including fines up to $2.1 million — means businesses will ultimately err on the side of caution, according to Sangster. That caution may result in consumers receiving frequent notifications that their data has been breached, leading to apathy and an acceptance of data breaches, she said.
While Sangster says she is supportive of the concept of data breach notification legislation, the incoming scheme is “preemptive” and will introduce a “massive compliance cost”.
“The majority of businesses are doing the right thing by their customers and they have to — not because of legislation but because of their brand,” she said.
“We had a real opportunity to put in place a piece of law that could have been leading-edge in how it deals with this issue and how it directs companies on what to do. And as usual we didn’t do it.”
The scheme, while welcome, also leaves gaps for consumers, according to Microsoft Regional Director and cyber security expert, Troy Hunt.
Hunt shares concerns about vague terms like “serious harm” and the reliance on organisations determining the severity of breaches, albeit for different reasons.
There are few, if any, consumer data breaches that don’t warrant notification, according to Hunt.
“As an individual … I want to know when my data is disclosed. I don’t care if it’s just my email address,” Hunt said. “I don’t like the assertion someone’s personal data is somehow exempt of requiring a notification because an organisation doesn’t think it will hurt them.”
The scope of the scheme is significant and includes private and public entities with an annual turnover of $3 million or more, with few exceptions. However, Hunt argues exemption on the basis of turnover is unjustified and data breach notification costs are reasonable.
“This is other people’s data. You’ve lost it. They trusted you with it, you’ve got to do the right thing. I don’t see why just because an organisation is under a certain threshold your data is any less important.”
In a digital economy where platforms and services are often offered without charge, consumer data usually becomes the product and it is reasonable to expect organisations safeguard that data and notify people when they fail to do so, according to Hunt.
Hunt also has little sympathy for organisations that have prepared poorly for the scheme and claim compliance costs are too burdensome. Regulatory consequences should not be the impetus for cyber security and the scheme compels organisations to do things they really should have been doing anyway, he said.
“It strikes me a little bit when an organisation says it has to spend money to get ready for this. What’s the gap between where you need to be for this and where you were before? That’s kind of concerning.”
“The only thing changing is it’s harder to cover [data breaches] up,” according to Hunt.
Despite the schemes problematic aspects Hunt said it is a significant step for Australia. “By having this law in place we’ve now moved the bar higher. We’ve said there is going to be a requirement to disclose certain incidents, where there wasn’t before.”
The Saving Grace
There is some agreement on one positive aspect of the scheme. Experts Which-50 interviewed said the scheme and its considerable penalties will elevate the cybersecurity conversation to the board room.
“That’s one big benefit of having a piece of legislation. It absolutely puts it front and centre on a risk committee on a board,” Sangster said. “The fines are so substantial that companies have to sit up and say, well what are we doing about this?”
Microsoft’s Troy Hunt agrees, “I’ve heard from multiple CISOs that it’s important to them because they can go to the board and say ‘hey guys there’s this law and if we don’t deal with it we’re going to be in all sorts of trouble that we might not have been in before’.”
Indeed, the considerable fines and potential brand damage sustained from a data breach will likely have boards talking about the issue. But several organisations may not believe the potential damage until they see it.
A Toothless Scheme?
Recent data breaches in Australia and the lack of sanctions imposed suggest the new laws could have problems with enforceability, according to Craig Horne, Strategic Security Advisor and the Vice President of the Australian Computer Society.
Horne cited the 2016 Australian Red Cross Blood Service data breach, in which the records of 550,000 donors were exposed — Australia’s largest data breach to date. The OAIC investigated the breach, ultimately accepting an enforceable undertaking from the ARCBS and deciding against any sanctions. Horne argues for a deterrent to be effective “it must be severe, swift and certain” and cases like the ARCBS create doubt around the scheme’s enforcement.
“Prescribed penalties under the Act do not have any deterrent value as it is not certain that organisations will receive any penalties for a breach,” Horne said.
Horne also agreed the vague terms and reliance on businesses conducting self-assessment in the new legislation is problematic.
Hunt, who alerted the ARCBS to the Red Cross breach, shares the concern over a potential lack of enforcement and says he doesn’t expect the scheme will produce any significant sanctions from regulators.
However, the damage of a data breach goes beyond any government-imposed sanctions. According to Horne, organisations potentially face a loss of consumer trust, share price dips, increased risk of litigation, interruptions to performance reporting, and loss of IP.
A more clearly defined scheme could have realised these business goals and helped consumers, according to ADMA’s Sangster, but the incoming scheme “hasn’t really hit the mark on either side”.
With 80 per cent of Australian companies expecting an increase in cyber risk, there is a clear need for a well-defined data breach scheme. Consumers see data security as a reasonable trade-off for the use of their data and expect a robust scheme that can respond when companies fail to provide it.
In an attempt to appease both groups, the OAIC’s scheme as it stands may not effectively serve either.