Australia deserves a whack of the data breach notification stick
"The arguments contrary to mandatory breach notification are quite spurious," says Gary Blair, adjunct professor with the Edith Cowan University's Security Research Institute. "Organisations not coming clean has a collateral impact, and that causes collateral damage to the rest of the industry."
The Catch of the Day data breach is a clear example. It was only reported to customers last month — three years after it had taken place — for reasons that are still unclear.
"Within the industry, that [breach] was well-known back in 2011," says Blair. "The question was, why didn't they bother to actually pick up the phone and contact the Privacy Commissioner back then? I guess others in the industry assumed that they'd done it, but that wasn't the case. The mess that that created, others in the industry had to pick up too."
Blair, with more than 25 years' experience in IT in the banking and finance industries, was speaking at Cisco's "Cyber Day" for media and analysts in Sydney last week. Other panelists agreed with his point that responsible organisations act responsibly, and are already doing the right thing under the voluntary breach notification process.
"The downstream impact on [companies] that act responsibly and with speed, the backlash is much less than those that don't. You have to just put that as part of your culture and your process and deal with it that way," said Steve Martino, Cisco's vice president of information security.
Dr Jason Smith, technical director of CERT Australia, agreed that "certain industries" — presumably the usual critical infrastructure types — had voluntary codes that "seem to be working".
But not every organisation acts responsibly — and with every data breach costing the industry time and money, it's clearly time to make it mandatory. In fact, Blair would like to take it a step further.
"If you have authoritative knowledge of a breach that had occurred elsewhere, in another organisation, do you have a obligation to report it?" Blair says yes.
"The types of cases I'm talking about specifically are where there's actual provable evidence that that data has been actually exfiltrated, and has actually been used by criminals to actually perpetrate fraud against those cardholders, for example."
Alastair MacGibbon, general manager of security with Dimension Data Australia and a former federal agent with the Australian Federal Police, agrees.
"There are laws in each state and territory today that say if you have knowledge of a serious indictable offence, you must report it," he said.
"For some bizarre reason, we have segregated the online world, and said it is above and beyond our normal societal expectations of how an organisation or individual should behave, and this is not the case. It's not the case in law, it's not the case morally, and if we require it, let's bring in something that forces people down that path."
Now there may be potential downsides to a mandatory data breach notification regime. We don't want to rush things.
"I'm just mindful of that phrase, that if you want a law really, really badly, you'll get a really, really bad law," said IBRS security industry analyst James Turner from the audience.
Turner has a point. Australia's favourite Attorney-General, Senator George Brandis QC, has yet to exhibit any deep understanding of the implications of technology. The previous government was so hasty in drafting cybercrime laws that one piece of legislation could never have achieved its stated goal, leading to an equally hasty redraft.
MacGibbon is concerned that mandatory breach notification could be a "disincentive for some to actually know what's going on" and induce "wilful blindness" — although he suggested a cure.
"If they've done the right thing as an organisation, in terms of taking a effective approach towards understanding what their threat and risk environment is, and are taking whatever those prudent steps are to minimising it, you don't penalise them in the process," MacGibbon said. "But if they haven't, if they have actually been negligent in their approach, then suffer for it financially."
Jodie Sangster, head of the Association for Data-driven Marketing and Advertising (ADMA), is also concerned. Last week she warned against consumers being "flooded" with breach notifications, diluting the meaning of any subsequent warnings about more serious breaches — although personally I think it should be up to the individuals affected to decide whether it's "serious" or not, and up to organisations to get their infosec act together and protect the data they scoop up.
But these concerns are all unquantified feelpinions, whereas the cost of data breaches is real. I agree with Blair. These arguments don't stack up.
Data breaches are still happening. The number of breaches that get reported doesn't seem to line up with the figures we see in security vendors' doom-laden reports. It's clear that many businesses are still deciding to hide their oopsies from their customers — or even worse, failing to discover them in the first place.
The talk of mandatory data breach notification laws has been going on for years.
"All of my clients are desperate to get actual information, so they can validate what they're doing to their executives," Turner said.
If Australian businesses can't sort this out amongst themselves, then it's time to put some stick about.