Loopholes lurking in the government's data breach Bill

By this time next year we will presumably have a mandatory data breach notification regime in place, but is it actually going to be good for anything?

By this time next year we will presumably have a mandatory data breach notification regime in place, provided the federal government’s proposed Privacy Amendment (Privacy Alerts) Bill 2013 manages to see the light of day.

For Australian consumers, the Bill can’t come soon enough. A Unisys Security Index conducted by Newspoll last month highlighted the growing mistrust of the public when it comes to how organisations are looking after their personal data.

Nearly three-quarters of the 1200 respondents said that they were personally concerned about a potential data breach of their information held by financial institutions including banks and credit card companies. Two in three said they were concerned about data breaches by telecommunication providers, and more than half were concerned about government services and health organisations.

It’s not simply a question of whether the data is kept safe or not, it’s a question of accountability. The check and balances in place now are clearly not doing the job and that’s bad news not just for customers but also businesses.

The average cost of a data breach for Australian organisations ballooned up to $2.72 million at the end of 2012 and given the rising tide of targeted malware attacks, not to mention system glitches and human error, a breach of some sorts is almost a certainty.

All of this makes a push for mandatory breach notification very timely, but there’s no guarantee that consumers will get what they want.

The Bill will require government agencies and businesses to notify customers of serious data breaches in relation to personal, credit reporting, credit eligibility or tax file number information. However, the devil remains in the detail and the Bill in its current form has plenty of critics.

The dangerous doublespeak

Their biggest problem with the legislation is the use of the term “serious” and just how do you decide what’s a serious breach and what’s not. For some, this is exactly the sort of doublespeak that keeps the balance of power firmly tilted in the favour of companies, not the consumer.

RMIT senior lecturer and regular Technology Spectator contributor Mark Gregory is an ardent critic of the current bill and says it is clearly designed to provide businesses with loopholes.  

“The draft legislation is not worth the paper it’s written on. They are going to introduce legislation that has no value,” he says.

Gregory's vitriol isn’t entirely misplaced. The definition of what constitutes a serious breach and what doesn’t is a grey area and that opacity could be exploited by organisations to avoid paying fines and protect their reputations.  

Another important consideration revolves around the qualifications of data that needs to be protected. Safe guarding credit cards, names and numbers are worth protecting but what about intellectual property breaches or attacks on public organisations?

Where do they fall within the overall purview of the proposed legislation? 

The proposed legislation needs to be all-encompassing, one that cultivates an environment where all data breaches are reported, at least for a time frame of 3 to 5 years.

Australian-owned data protection company Senetas’ CEO  Andrew Wilson says that the government is trying to ensure that the proposed  legislation doesn’t lead to an uptick in frivolous or minor reports.

“Basically a serious breach relates to a delinquent approach to application of the privacy principles and hasn’t taken steps to protect the data. That could the first step in classification and I suspect that the second step would be to see whether the data exposed customers to a serious risk of harm,” Wilson says.

However, he admits that there's a fine line. The privacy reform amendments come with a clause whereby if the reporting of the breach is deemed to put national interest under threat then there is a case for exemption.

Taking that first step

It’s a double edged sword, but these considerations should not detract from the fact that the proposed legislation is still a much needed first step in bringing Australia in line with the rest of the developed world. 

If passed into law, the legislation will see us catch up to most US states and European countries that have had mandatory breach notification provisions for some time.

As Forrester Research analyst Masami Kashiwagi points out, while data privacy legislations are expanding and changing most jurisdictions in the Asia Pacific region (including Australia) fail to meet EU standards. To date, New Zealand is the only jurisdiction that is considered to have “adequate protection” by the EU-directive.

Perhaps this failure to meet the standards reflects the fundamental deficiency in our organisations. A deficiency in understanding the value of the data they possess and just how damaging its loss is, not just for the consumer but also for the organisation.

While the Corporations Act requires companies to take a risk-based approach to protecting company assets, the lack of accountability and contrition from many organisations would suggest that data isn’t seen as a critical company asset.

The recent "State of Privacy Awareness in Australian Organisations" survey, commissioned by McAfee, reveals just how far behind local organisations are lagging, even as the fate of the proposed legislation is decided.  According to that survey, 59 per cent of employees responsible for managing the personal information of customers were unaware or unsure of the proposed changes, while 21 per cent of Australian organisations admitted to having experienced a data breach.

Faced with such statistics, perhaps the compliance burden (entailed in the proposed legislation) that some organisations have been ranting against, is worthwhile after all. 

No silver bullet 

Trust in a digital economy is a vital component to its effective functioning and Wilson says the public has every right to demand greater accountability from organisations.

He adds that the Privacy Act in its existing form simply doesn’t foster accountability and far too much time has been wasted in mulling over reforms.

He adds that the cyber security message has far too often focused on creating stronger walls and perimeters and failed to focus on what it is they are protecting – data.

“Data is the oil of the 21st century,” says Wilson and unsurprisingly recommends that encryption needs to be an important part of the conversation

Senetas is in the business of encryption but Wilson makes a good point, a data-centric approach to security, one that aims to devalue the data in the eyes of the hacker, does make an organisation a less of a target.

“The regulatory framework proposed requires organisations to take all reasonable steps to protect their data and if you can encrypt your data you can demonstrate that you have taken all reasonable measures,” says Wilson.

Encryption is the last line of defence but it’s not a silver bullet for organisations. In fact, nothing is, but having a legislation that punishes complacency and encourages organisations to take a more comprehensive approach to protecting customer data is an absolute must.