Australian security: the lucky country
Does anyone seriously believe that Australian businesses and government agencies manage security any better than the US or UK?
Apparently the people that influence Australia's privacy laws do, which is why the government has given itself four years, or until 2012, to start reviewing the Australian Law Reform Commission's recommendation to include "mandatory" data breach notification measures in Australia's Privacy Act.
In the meantime Australians will have to settle for softer initiatives, like the Office of the Privacy Commissioner's (OPC) Privacy Awareness Week, which recognises "good" privacy practices by organisations, but doesn't ferret out bad security and privacy practices.
In this state of affairs, if Australian Customs were to suffer a breach where people disguised as EDS staff stole two mainframes from its high security centre, which also contained sensitive details about you, Customs won't tell you.
Until 2012 we can celebrate privacy while the US clocks up another two billion data breach notifications — the number of notices issued to its citizens since 2002, Microsoft's chief privacy officer Peter Cullen tells me.
The first areas of the Privacy Act the government has promised to tackle are health information and privacy, which is sensible since health costs impact the public purse more than anyone's right to know when your personal information is exposed.
Data security and its relationship to privacy has been put on the back burner due to one fact: no one, not the ALRC, not politicians, not the Privacy Commissioner, and especially not the public, have the foggiest idea about the extent to which data breaches have affected Australians.
We could be lucky, or perhaps have supreme intellects, which has helped Australia avoid HMRC-style mass breaches that exposed 25 million UK citizens' personal records. The Australian Taxation Office at least recognised the reality of the risk. The HMRC breach inspired a security review that found overall good practices, but significant security holes which could result in a data breach.
This was quite rare indeed. According to a recent survey by analyst firm Intelligent Business Research Services of 99 local IT managers — half came from organisations with more than 1,000 staff — many organisations could haemorrhage data without realising it, just like TJX. Asked "How would you know if an unauthorised person were to access sensitive data?", 45 per cent agreed "It's possible we would not know if this occurred".
So that's the situation. The politicians don't know, organisations that hold your information don't know and the pubic doesn't know. If ignorance is bliss, then who the bloody hell am I to question Australia as being the lucky country?
She will, as we say, be right.