Australia deserves a whack of the data breach notification stick

Australia deserves a whack of the data breach notification stick

Summary: Australian businesses shouldn't have to clean up after other organisations' infosec oopsies. It’s time to get tough about data breach notification.


"The arguments contrary to mandatory breach notification are quite spurious," says Gary Blair, adjunct professor with the Edith Cowan University's Security Research Institute. "Organisations not coming clean has a collateral impact, and that causes collateral damage to the rest of the industry."

The Catch of the Day data breach is a clear example. It was only reported to customers last month — three years after it had taken place — for reasons that are still unclear.

"Within the industry, that [breach] was well-known back in 2011," says Blair. "The question was, why didn't they bother to actually pick up the phone and contact the Privacy Commissioner back then? I guess others in the industry assumed that they'd done it, but that wasn't the case. The mess that that created, others in the industry had to pick up too."

Blair, with more than 25 years' experience in IT in the banking and finance industries, was speaking at Cisco's "Cyber Day" for media and analysts in Sydney last week. Other panelists agreed with his point that responsible organisations act responsibly, and are already doing the right thing under the voluntary breach notification process.

"The downstream impact on [companies] that act responsibly and with speed, the backlash is much less than those that don't. You have to just put that as part of your culture and your process and deal with it that way," said Steve Martino, Cisco's vice president of information security.

Dr Jason Smith, technical director of CERT Australia, agreed that "certain industries" — presumably the usual critical infrastructure types — had voluntary codes that "seem to be working".

But not every organisation acts responsibly — and with every data breach costing the industry time and money, it's clearly time to make it mandatory. In fact, Blair would like to take it a step further.

"If you have authoritative knowledge of a breach that had occurred elsewhere, in another organisation, do you have a obligation to report it?" Blair says yes.

"The types of cases I'm talking about specifically are where there's actual provable evidence that that data has been actually exfiltrated, and has actually been used by criminals to actually perpetrate fraud against those cardholders, for example."

Alastair MacGibbon, general manager of security with Dimension Data Australia and a former federal agent with the Australian Federal Police, agrees.

"There are laws in each state and territory today that say if you have knowledge of a serious indictable offence, you must report it," he said.

"For some bizarre reason, we have segregated the online world, and said it is above and beyond our normal societal expectations of how an organisation or individual should behave, and this is not the case. It's not the case in law, it's not the case morally, and if we require it, let's bring in something that forces people down that path."

Now there may be potential downsides to a mandatory data breach notification regime. We don't want to rush things.

"I'm just mindful of that phrase, that if you want a law really, really badly, you'll get a really, really bad law," said IBRS security industry analyst James Turner from the audience.

Turner has a point. Australia's favourite Attorney-General, Senator George Brandis QC, has yet to exhibit any deep understanding of the implications of technology. The previous government was so hasty in drafting cybercrime laws that one piece of legislation could never have achieved its stated goal, leading to an equally hasty redraft.

MacGibbon is concerned that mandatory breach notification could be a "disincentive for some to actually know what's going on" and induce "wilful blindness" — although he suggested a cure.

"If they've done the right thing as an organisation, in terms of taking a effective approach towards understanding what their threat and risk environment is, and are taking whatever those prudent steps are to minimising it, you don't penalise them in the process," MacGibbon said. "But if they haven't, if they have actually been negligent in their approach, then suffer for it financially."

Jodie Sangster, head of the Association for Data-driven Marketing and Advertising (ADMA), is also concerned. Last week she warned against consumers being "flooded" with breach notifications, diluting the meaning of any subsequent warnings about more serious breaches — although personally I think it should be up to the individuals affected to decide whether it's "serious" or not, and up to organisations to get their infosec act together and protect the data they scoop up.

But these concerns are all unquantified feelpinions, whereas the cost of data breaches is real. I agree with Blair. These arguments don't stack up.

Data breaches are still happening. The number of breaches that get reported doesn't seem to line up with the figures we see in security vendors' doom-laden reports. It's clear that many businesses are still deciding to hide their oopsies from their customers — or even worse, failing to discover them in the first place.

The talk of mandatory data breach notification laws has been going on for years.

"All of my clients are desperate to get actual information, so they can validate what they're doing to their executives," Turner said.

If Australian businesses can't sort this out amongst themselves, then it's time to put some stick about.

Topics: Security, Government AU, Australia


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Too right we need mandatory notification

    I reckon those arguing against it are the cowboys, or at least, are speaking for a cowboy organisation. They are most likely organisations with slim profit margins.

    Trust is earned through honesty and actions. If the public can't trust you, well, watch your profit margins get even slimmer.

    The organisations that have suffered most from breaches are the ones that tried to hide the truth, not the ones who put thier hand up and gave the world regular updates on progress. I bet Vodaphone wish they had thier time over again.

    I reckon organisations that don't make an honest effort with their IT Security are the real leaners in our society. They are like a student on the night before an exam who hasn't studied all semester praying an angel will come and magic the answers into their brain. So after flunking university they are now praying they won't get breached.

    These leaners are actually a threat to other organisations who are making an honest effort. We all know adversaries will attack weaker systems to facilitate a successful attack on a stronger system (thier real target). So in thar regard, the laws probably can't go too hard at all.

    So for the sake of everyone, this selfish attidue has to end. By protecting the clients you all claim to care about and want to deliver better services too, you will be delivering your own salvation, and letting others acheive thiers.