[BreachExchange] Australia needs to do more on data protection

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 4 14:45:36 EDT 2018


Digital privacy is top of mind for many Australians. With weekly data
breach scandals, individuals are becoming more aware and concerned about
who has their data, and more importantly, who controls how that information
is gathered, used and shared.

Governments around the world are struggling with modern challenges of data
protection and placing the right regulatory standards to enable
organisations to protect their assets and stakeholders more effectively
against the rising tide of cyber threats.

In Australia, the introduction of the Notifiable Data Breach was celebrated
as a step in the right direction. While many people questioned whether the
legislation would be robust enough to ensure compliance, it seemed to be
purposefully crafted to be soft to see what the effect was on business.

In the first six weeks of the country’s NBD scheme, more than 63 data
breaches have been reported to the Office of the Australian Information
Commissioner. For the public, this might seem like a high number,
especially in such a short time, but we should be prepared to see the
number continues to grow.

On May 25, the EU will introduce a privacy law that restricts how personal
data is collected and handled. The General Data Protection Regulation
focuses on ensuring that users understand and consent to the data collected
about them. The GDPR has an emphasis on consent, control, and clear
explanations of user data, and everyone is accountable.

It is largely recognised as one of the most sweeping regulatory changes
related to data protection ever introduced at such a large scale.

Australia is a country with 24 million people and within six weeks the OAIC
has had 63 reportable data breaches. It’s estimated that the EU has 511
million citizens: imagine what six weeks into the GDPR will reveal about
the real levels of data breaches and loss of personal data happening
globally. Additionally, GDPR applies to all businesses harnessing EU data,
even if they are not based in-region, which further expands the scope of
the regulation.

Although Australia was first to put the data privacy regulation in place,
some key learnings can be taken from the GDPR to strengthen Australia’s
approach to ­security.

Protection of data, especially personally identifiable data, is now more
important than ever before for government and business. The GDPR is just as
much a privacy regulation as it is a cybersecurity regulation, in part
because of the obligation to safeguard personal data.

In the EU, the GDPR does not make a distinction on company size, turnover
or type. If you handle personal data, then you are subject to the
regulation. Businesses are also required to report within 72 hours if you
have a breach and the EU also has the harshest fines, up to €20 million
($32m). Experts anticipate that most businesses will be challenged to meet
this tight deadline.

In Australia, we have seen an attempt with the NBD to follow this global
trend of breach notification versus data protection, although in a much
lighter way. Only companies with more than $3m in revenue are required to
report breaches and they have 30 days to do so. This leaves many small and
midsized businesses out of the obligation loop, which can be problematic
for a number of reasons. SMBs are generally perceived as less security
mature and thus at a higher risk of suffering data loss, IP theft, and
other security-related losses. As adversaries tend to focus on the weakest
link, vulnerable SMBs can also pose a risk to their larger enterprise
partners or suppliers.

According to a report from NAB, small to medium enterprises now contribute
57 per cent of Australia’s GDP and it is estimated there are more than two
million small businesses in Australia.

These businesses deal with customer data but in many cases don’t have the
expertise or tools necessary to protect it. Most concerning, they have no
legal incentive to ensure safeguards are in place to stop a data breach.

While the government has been specific in the rollout of the national data
breach notification scheme, further developments to go down the path of a
more robust legislation remain to be seen.

The OAIC report not only highlights the issue of cyber security and
privacy, but also whether the OAIC has the resources and funding necessary
to deal with the volume of reports and the advice organisations will be
seeking, in particular, if they are looking for guidance on a potential

The desired outcome of regulations like the data breach notification scheme
is to drive better security practice and individuals and businesses are
looking for guidance on how to do that.

It can be argued that Australia has not gone far enough to protect personal
data when compared to the complexity of the GDPR.

The GDPR takes data protection to a new level and other markets will be
watching to see the impact of the legislation in the coming months.
Australians who are on top of the local regulations are now extending to
GDPR in many cases and navigating the complexities that come with it.

The government and global community are thinking about the value of data
and the impact of having it stolen. At the same time, consumers are
demanding the right to be forgotten and to have their privacy protected.

It is not just about cancelling an account if you see suspicious activity.
We need to consider the longer term impact of an effect on individuals and
the responsibility of the business to protect it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180504/7aadf278/attachment.html>

More information about the BreachExchange mailing list