The Notifiable Data Breach scheme comes into effect today, requiring Australian businesses with a turnover of more than $3 million to report any data breach which could seriously harm people.
Businesses could face penalties if they don’t comply.
The new ruling is an amendment to the Privacy Act which now requires businesses to notify the OAIC as soon as an eligible data breach occurs.
If a breach occurs, anyone affected could potentially seek compensation under consumer protection laws.
Here’s some thoughts industry leaders shared with us on the new Notifiable Data Breaches Scheme.
Professor Dali Kaafar, Information Security and Privacy Group Leader at CSIRO’s Data61
Why is privacy still an issue?
There is an abundance of data in the world, with roughly 2.5 quintillion bytes generated each day through the likes of our smartphones, wearable devices, computers and social media use. There have also been huge advances in data mining and analytics, which has proven to be a double-edged sword. The sheer quantity of data available and the sophisticated techniques to collect and analyse it makes it easier for extract invaluable insights, but also enables cyber criminals to de-identify and manipulate data for their own benefit. Privacy will continue to be a major challenge in our data-driven world.
A paradigm shift
The current status quo — building secure systems that are only secure until cyber criminals develop sophisticated techniques to exploit them as was the case with Spectre and Meltdown— is a losing battle. In fact, 2017 was the worst year for data breaches which doubled in number from 2016.
We need to stop relying on original data and use provably secure, privacy preserving synthetic data instead. This is data that has been altered in such a way that ‘obfuscates’ individual data, but retains utility of the whole data set. The original data is kept separately, in a secure place, and the insights can be extracted securely.
Privacy R&D at CSIRO’s Data61
Our technologies like N1 Analytics and work in privacy preserving data sharing enables the extraction of value from multiple data sets without violating either the privacy, or the rules governing privacy.
At Data61, we’ve developed a number of provable privacy preserving techniques applied on a range of datasets. Individual data is mathematically obscured, but the global ‘shape’ remains the same. Our team uses mathematical proofs to ensure that the privacy of individuals is protected through a randomised transformation process that cannot be reversed – enabling analysis of broad trends whilst protecting the privacy of individuals.
Absolute privacy is not an option
Data has become an important resource for individuals, organisations and governments alike. Absolute privacy would make it impossible to extract insights and utility from data sets. Differential privacy, which is a trade-off between utility and privacy, is a more pragmatic approach and something that we are exploring in our research at Data61.
Brian Fletcher, Symantec Director of Government Affairs for Asia Pacific, Japan & Korea
The Australian Government’s long-awaited Notifiable Data Breaches scheme comes into play, legislating protections around personal data and placing Australia firmly by the side of the world’s leading economies.
The result of a decade-long journey between the Australian Law Reform Commission’s report recommending mandatory data breach reporting to its passage into legislation last year, will see a massive shift in where privacy sits on the priority list of both government and business. In the long term, greater transparency in the event of a serious data breach promises to boost public confidence in how their personal data is stored, shared and handled by the businesses they transact with, and the governments they trust. In the short term, businesses should expect some pain as the new laws change the way their organisation measures risk.
But it’s not just big business that will be impacted. By introducing fresh data security imperatives for businesses with an annual turnover of $3 million and over, the new law captures Australia’s small and mid-market businesses – a growing number of which are now selling into governments and large enterprise.
As governments encourage greater procurement participation from small business, and large enterprise turn to startups to inject innovation, we will see the big end of town refurbish contracts to mitigate their own privacy risks and protect themselves from data breaches that may occur along the data supply chain and throughout the contract, not just at the point of contracting. We’re already seeing this with Federal Government contracts, in which external bodies are often required to adhere to Australian Government privacy and data security standards.
Beyond the supply chain, businesses should brace themselves for the costs associated with bringing substandard privacy regimes up-to-code. This involves staff training and awareness on how to properly secure data, and modifying business processes to be more privacy-compliant. The rising cost of a data breach and increased reporting requirements is also likely to result in increased cyber insurance uptake by private companies.
When it comes to government at a federal level, this liability threshold does not exist. The Australian Government’s health and finance portfolios have been particularly good at meeting public expectations around privacy. But as government agencies and departments move towards an open data environment, it is important that they consider not only the privacy of electonically-stored information but paper-based systems. The government has traditionally been very good at managing the security and privacy of paper-based information, but last month’s Cabinet Files incident offers a timely reminder that complacency can undo even well-practiced and mature processes, compromising extremely sensitive information in the process.
Privacy is a politically and socially charged topic, and any change will require time and refinement before it is engrained in Australian corporate and consumer culture. For example, it will be interesting to see how the many small businesses with a variable annual revenue are impacted by the $3 million threshold. But the benefits of doing what is right will far outweigh the reputational and financial costs of being caught out publicly. Privacy is about people, technology and processes all working together to ensure the security and integrity of our citizens’ personal data.
Tim Bentley, Vice President, APJ at Proofpoint
The impact of security incidents, and particularly data breaches, are wide-reaching across Australia’s business landscape. According to accounting firm PWC, there has been a 109 per cent increase in detected security incidents in Australian companies, compared to a 38 per cent global average. More specifically, according to a new report by Breach Level Index, Australia has the most information-security breaches in the Asia-Pacific region.
Despite these alarming findings, there is concern that the new data breach disclosure laws will not amass real action on the ground in the business community until a big, local breach in post-data disclosure Australia occurs. That said, this new mandatory data breach notification is a strong step forward: when passed, the legislation will mean that Australia has some of the strictest disclosure rules in the world.
Data breaches are not just an IT security issue, but a fundamental data governance issue. Organisations must combine information security with data governance programs that identify, classify and protect critical and sensitive data assets. Technologies like encryption and Data Loss Prevention (DLP) provide automated controls that protect the processing and storage of sensitive information. By implementing multi-layered defence strategies leveraging technology controls, businesses can reduce the likelihood of data exposure.
Guy Eilon, Country Manager of Forcepoint, Australia
More than 90 per cent of ASX listed businesses, Government Departments, and large NGOs were exposed to a data breach in 2016, according to research published by Forcepoint. Today, these breaches can no longer be swept under the carpet.
Compliance with Notifiable Data Breaches (NDB) scheme is only the beginning. The true success of this new law will be judged on the behavioral and cultural shifts that it seeks to drive within our organisations.
Prevention is always better than cure, but when it comes to data protection, this is easier said than done. The blending of our work and personal data on mobile devices, growth of cloud services, and carefree data protection attitudes that permeate our workforce, have seen traditional network perimeters dissolve and data visibility diminish.
At best, this moment of legislative history should spark a step-change in the way we secure data – moving from a threat-centric to a human-centric approach; one that protects data at the human point – the intersection of users, data & networks. At the very least, it should start to unravel the scale of the challenge we already face.