Home Security Data breach law will not change status quo: claim

Data breach law will not change status quo: claim

Australia's data breach law, which takes effect on 22 February, will be among the weakest in the world and is unlikely to impose any pressure on businesses to change the way they protect personal data at the moment, the founder and chief technology officer of a cyber security consulting firm claims.

Phil Kernick of CQR Consulting (below, right) told iTWire that he was not saying the law was pointless. "There is clearly a need for protection of personal data held by businesses," he said. "The problems arise from the fact that the laws don't effectively internalise the costs that result when a data breach occurs."

Breaches of the law, as far as failing to notify those affected by a breach, will attract fines of up to $360,000 for individuals and $1.8 million for organisations. Insufficient care of the data in question, if proved, could attract further fines. Only organisations with revenue of more than $3 million are covered.

Kernick said when a breach that resulted in the loss of personal customer data took place, there was an external cost borne by the victims.

"This cost can range from mild inconvenience for those affected, such as the need for a new credit card, to larger costs like reputational and financial damage," he pointed out.

"For the business itself, however, there is often little more than a short-term reputational loss that occurs. History shows that even companies that experience a high-profile breach tend to suffer little or no long-term negative effect on their brand or operations. Even dating site Ashley Madison continues to flourish following a massive data breach back in 2015."

phil kernick cqr consulting bigAs a result, he said, there had been little incentive for businesses to increase their security budgets to ensure proper protection of personal data – the associated costs had not been internalised.

"This is what needs to be achieved by effective data breach regulations. They should internalise the cost of a data breach so that the option of doing nothing becomes an expensive one to take."

Asked about the costs that a business would suffer due to class action suits following a breach and whether that would not act as an incentive to have better security, Kernick responded: "It's possible, but not probable. We aren¹t as litigious as other countries, and given the Privacy Act already defines the process and penalties, it's hard to see the Federal Court hearing such an action."

He said that under the new law, any business affected by a data breach was responsible for deciding whether "serious harm" was likely to occur to any person whose data had been compromised.

"If the company decides the serious harm bar has not been exceeded, it doesn't have to take any action as all. So, a company could simply decide that having a customer's personal contact details out on the Internet will not result in serious harm to them - and that's the end of it," he said.

"There is nothing to compel them to take any other steps. In fact, if you look at data breaches that have already occurred in Australia, it is hard to find one where the 'serious harm' definition would actually have come into play. Clearly these new rules need to be toughened up.

"If a business does decide that serious harm could occur to individuals who have had their personal data stolen, all that the management has to do is provide a statutory notification to the Privacy Commissioner who may then determine that all that's required is the posting of that declaration on its website."

Asked why the government had set the bar so low that in effect it was a case of the fox watching the hen house, Kernick pointed to a clause in the privacy law: "In order not to impose an unreasonable compliance burden on APP entities and to avoid the risk of notification fatigue among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement."

His interpretation of that was, "reading between the lines, the ALRC (Australian Law Reform Commission) seems to believe that there are going to be a lot of data breaches. The serious harm threshold will be set by common law, so expect that there will be cases intended to set exactly this bar."

As to how the law could be strengthened so that it would be more meaningful, Kernick said first, the responsibility for determining whether the serious harm bar had been exceeded should be shifted from the affected company to the Privacy Commissioner.

Then there should be a a provision included that stipulated whenever a data breach occurred, the business was obliged to contact every customer and let them know about the incident, whether it met the definition of serious harm or not. This would mean a cost for the business which would encourage them to strengthen security ahead of time.

"The Australian Government should also look closely at the privacy regulations now in place in other parts of the world," Kernick recommended. "For example, the General Data Protection Regulation rules in the European Union (which come into force in May this year) provide the ability to levy fines equivalent to 4% of a company's annual turnover."

He said if such rules existed in in Australia it would mean a change in the rules of the game.

"These extra steps need to be taken as soon as possible to internalise the costs of data breaches and ensure that businesses in Australia are taking all the steps required to effectively secure the personal data they are storing," Kernick added. "Doing nothing means the burden unfairly remains with affected individuals rather than the businesses that have been careless with their data."

When it was suggested that the law was more of band-aid to cover for the fact that Australia has no data breach law and to pacify trading partners and the public, Kernick took a more moderate tone.

"It¹s a good start. We are slow to the party but at least we are now there," he conceded. "The opportunity exists to strengthen the regulations going forward. "Remember there are still large carve-outs in the Privacy Act. State governments and local councils, which hold vast amounts of personal information, are currently exempt."


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.