30 Nov 2017
Your personal data’s been stolen. Wouldn’t you like to know?
By Tom Uren
From early next year, Australian companies will be obliged to tell you if personal information entrusted to them has been stolen by hackers.
But the Notifiable Data Breaches scheme of the Privacy Act do not go far enough—companies and organisations are obliged to notify only breaches they consider very serious, too many organisations are exempt; and penalties are too low
Every month there is a new announcement that a large trove of personal data has been stolen or lost. This year we’ve learnt of data breaches from Equifax, a US credit reporting agency; the US Securities and Exchange Commission; Deloitte, the professional services firm; Hyatt Hotels; Disqus, the online comment service; and we’ve also learnt that data on all Yahoo accounts was stolen back in 2013. This collection of high profile hacks is only the tip of the iceberg – the Have I Been Pwned service which collects data on online data breaches reports 69 separate breaches covering almost 2.7 billion accounts so far this year.
And this is not just a problem for US companies either. In Australia, on 2 November we learnt of a 50,000 record Australian data breach and in October we learnt that a defence contractor had had a significant data breach and lost commercial-in-confidence information relating to the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, and unspecified Navy ships.
If it weren’t for an inquisitive media we’d never know about these breaches. Other than for My Health records there is currently no requirement for Australian companies to report data breaches. This all changes on 22 February 2018 when the Notifiable Data Breaches scheme of the Privacy Act will come into effect. Companies will be obligated to report data breaches to the Office of the Australian Information Commissioner (OAIC) and the affected individuals. The goals of the notifiable breach scheme are to improve transparency on how serious data breaches are handled; strengthen the protections surrounding everyone’s personal information; and allow individuals to protect themselves after their data has been lost.
These are all desirable goals, but the legislation doesn’t go far enough. Thresholds are too high; too many organisations are exempt; and penalties are too low.
A data breach must be reported if the loss of information is likely to result in serious harm to any of the affected individuals. This standard seems reasonable, but it treats each individual breach in isolation; in the current environment of regular large scale breaches each new breach adds to the private information that has already been lost. The default view should be that a new breach which is insignificant on its own will likely substantially add to the risk of harm by filling in missing pieces of the puzzle.
The Notifiable Data Breach scheme only applies to a subset of Australian organisations and misses some important ones it should cover. Some of the organisations that aren’t covered that perhaps should be: universities, public schools, state and territory government agencies, and political parties. In general small businesses (annual turnover of less than $3 million) are exempt although many that deal with significant personal data holdings are included.
Penalties are also too low. Most cybersecurity professionals I’ve spoken to about this issue believe that large companies will continue to avoid disclosure; the costs of disclosure – including to reputation and brand damage – are simply much higher than the costs of potential penalties.
By contrast, the European law that covers data breach disclosure, the European General Data Protection Regulation (GDPR), has much lower disclosure thresholds (disclosure is required for breaches that ‘result in a risk’ rather than a serious risk), applies to all companies processing and holding personal data, and has far higher penalties (up to 4% of annual global turnover or €20 million, whichever is higher).
The GDPR recognises that the strong protection and enforcement of data privacy rights is desirable in building the trust that will allow digital economies to develop.
Data breaches are rife and important information is too often poorly protected; we need strong incentives for everyone to improve their game for the longer term good of the economy.
Last financial year the OAIC received 149 data breach notifications. Expect many more once data breach notifications are mandatory next year – but perhaps not as many as we should see.