'

Former ASIO head questions why political parties are exempt from breach disclosure

Political parties are exempt from Australia's looming data breach notification laws, but David Irvine, former head of ASIO, wants to know why.

In February next year, organisations in Australia will need to disclose incidents involving personal information, credit card information, credit eligibility, and tax file number information of individuals that would put them at "real risk of serious harm" under the country's impending data breach notification laws.

The new laws mandated under the Privacy Amendment (Notifiable Data Breaches) Act apply only to companies covered by the act, and therefore see intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.

David Irvine, chairperson of Australian Cyber Security Research Institute (ACSRI) -- formerly the head of the Australian Security Intelligence Organisation (ASIO) and director-general of the Australian Secret Intelligence Service (ASIS) -- could not answer why political parties find themselves excused from the new laws.

"I think that should be treated as a rhetorical question; my response would be why indeed," Irvine told ZDNet in response to a question asking why political parties are exempt.

"I think the parties probably do need a good cyber disaster to focus on this issue as is now happening in the United States."

Just this month alone, US credit rating and reporting firm Equifax revealed it had exposed as many as 143 million customers, and Deloitte confirmed it was targeted by a cyberattack on Tuesday resulting in the theft of confidential documents and emails.

It followed accusations throughout the year from US intelligence agencies that Russia hacked into Democratic Party emails, as well as revelations that the storefront of the National Republican Senatorial Committee contained malware that siphoned off every credit card number used in the store in a six-month period.

Present on the panel moderated by Irvine at the SINET61 conference in Sydney on Tuesday was Aidan Tudehope, managing director at Macquarie Telecom and Sophie Higgins, who is a director at the Regulation and Strategy Branch of the Office of the Australia Information Commissioner (OAIC).

While Tudehope skirted the question, he told ZDNet the "fake news" movement was helping political parties address the issues the data breach notification laws would otherwise see them subject to.

"The fake news debacle in the US is probably doing a better job of raising the cybersecurity awareness within the political parties, not necessarily privacy, but if you think about the ultimate game is about raising security, that's going a long way," he said. "The parties are standing up and listening."

Higgins, however, opted for the obvious response, noting that political parties are exempt from the Privacy Act, so therefore they're exempt from reporting breaches.

Under the data breach notification laws, organisations need to report an incident "as soon as practicable", Higgins explained, but the assessment needs to be conducted within 30 days.

As Irvine pointed out, it's a self-reporting scheme.

"I don't know how many people report themselves to the Road and Traffic Authority for doing 65 in a 60km/h zone, but that's essentially what you're asking us to do," he said.

"Not only that, but you're asking us to make a judgement about whether something is serious, whether something might cause psychological harm to someone ... you're asking me to make a lot of judgements."

During the panel on Tuesday it was also discussed that the definitions in the context of the legislation will be ironed out once cases start to emerge.

In May 2018, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.

Under Australia's data breach notification laws, organisations have 30 days to declare the breach; under the GDPR, organisations have 72 hours to notify authorities after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

If an Australian organisation has an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU, they are bound by the GDPR requirements, should the breach be related to any of the above.

Organisations that fail to comply with the regulation requirements face administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.