Less pep talks, more stick on cybersecurity

How long, exactly, must we endure the corporate world's information security failing, and failing badly, before the government finally steps in?
Written by Stilgherrian , Contributor

commentary How long, exactly, must we endure the corporate world's information security failing, and failing badly, before the government finally steps in?

I hardly need to mention that we've been watching a spate of security breaches. Sony's issues — the PlayStation Network suffered the fourth-largest data breach in history, then Sony had another problem and another — has merely been the most widely reported.

Remember Vodafone's fumble last year, which the Privacy Commissioner decided breached the Privacy Act? Remember Telstra leaving hundreds of customers' personal data exposed on its website?

Remember Lush cosmetics, which even admitted that its website didn't comply with the Payment Card Industry Data Security Standard (PCI DSS), the minimum security standards that you're meant to follow if you handle credit cards? Still, why bother? Only 22 per cent of business are compliant.

Less than two weeks ago, we read that another 8000 Australians had their credit card details potentially compromised, this time by an unnamed merchant, and the reaction is a big yawn. Ho-hum, another data breach. Indeed, by April we'd already seen double the number of reported data breaches as we did during all of last year.

All this is probably just the tip of the iceberg. It's likely that every one of the ASX 100 companies would have had a data breach. But we'll never know for sure, because we don't have to be told.

"We have no data breach notification laws in this country," said Alastair MacGibbon, director of the new Centre for Internet Safety at the University of Canberra, last week. "They were recommended quite some time ago, and the government was going to be considering them quite some time ago. But I don't see the movement towards data breach notification any time soon. I'd be pleased to be surprised."

Nor do we have any legislated security standards, real penalties for companies that suffer security breaches, or clear timetables for when any of these things might happen.

In February, the Privacy Commissioner said that he'd tighten the screws on businesses that neglect security standards but, really, so what? He has no power to impose penalties, merely give naughty corporations a stern telling-off. While Visa, Mastercard and American Express could in theory cut off a business for failing its PCI DSS compliance, when was the last time that this actually happened? It's hardly in the card industry's interest to cut off their own revenue stream.

What we need here is a bit more government stick. Instead, we have pep talks.

"We want to make sure that those companies have secure arrangements, that they also, in the event that there is personal information stolen, that they inform those people whose personal information has been taken as quickly as possible so people can protect their own interests," said the Minister for Home Affairs and Justice Brendan O'Connor on Friday.

The Federal Government has said that it won't be considering data breach notification laws until the privacy commissioner completes his review of privacy laws. O'Connor confirmed that plan, but wouldn't be drawn on specific timing.

"The government has made this very clear. We believe that really it's up to the corporate world to ensure they protect the interests of their consumers, protect the interests of their clients. And if they fail to do that, and if they leave a void, then governments of course will be expected to fill that void by some form of regulation," O'Connor said.

Are they not already failing?

The one bright light here is the attorney-general's announcement on Friday that the government will develop Australia's first "Cyber White Paper". It's billed as a blueprint for how we'll tackle online safety and security issues, based on a comprehensive public consultation that starts next month and is expected to produce results in the first half of next year.

A plan is always a good thing. A plan that results from cooperation between three departments — Attorney-General, Defence and the Department of Broadband, Communications and the Digital Economy — is even better. Given that consumer protection will be covered, the whitepaper might recommend that the government finally create the big stick that it needs to belt the slack corporations upside the head, and give them permission to use it.

My worry, though, is that even if the government gets its big stick, it'll be afraid of taking on the corporations.

Editorial standards