Turnbull should force Australia to be open about data breaches

Asking businesses nicely to publicly reveal when they have experienced the equivalent of a dakking in the schoolyard is not going to make things any better.
Written by Chris Duckett, Contributor

The Australian government has a number of sticks in its closet that it can use to beat around all manner of people, companies, and other entities both within and outside the confines of the island continent.

And Prime Minister Malcolm Turnbull was only too happy to wave around the one titled "offensive cyber capability" during his launch of the government's AU$240 million Cyber Security Strategy yesterday.

"Acknowledging this offensive capability adds a level of deterrence," he said. "It adds to our credibility as we promote norms of good behaviour on the international stage. And importantly, familiarity with offensive measures enhances our defensive capabilities as well."

This was naturally viewed to be a thinly veiled attack on our cyber enemies -- be they China, Russia, or whomever the cyber enemy of the week is that we've always been at war with.

At the same time on the home front, Turnbull called for companies to 'fess up when they have a security incident; to create an environment of cyber openness, if you will.

"It's very important that we have a more open culture in this area, and we have to lead by example," Turnbull told reporters.

"It's only when people acknowledge there has been a breach that we can actually learn from it and everyone can learn from it ... Often, this is because of a flaw in a software system that is widely used, and so the more we understand about what has happened in one place enables us to protect the others."

The fact to keep in mind while reading these platitudes is that if the government did think openness is so important to the country, it could force the hand of Australian businesses with legislation.

Currently stalled for the second successive parliament are laws that would give Australia a working data breach-notification scheme.

They slipped by the wayside under Labor, and with the nation headed for a double dissolution election in July, barring a legislative miracle, the laws will fail to pass this parliament as well.

That Labor could have given us the data breach laws the country needed three years ago did not stop them from piling on yesterday.

"Three years after mandatory data breach-notification legislation was introduced into the Parliament by the Labor government, the Liberal Party is set to squib it on this important cybersecurity measure once again," Shadow Attorney-General Mark Dreyfus said.

"As Mr Turnbull announces the beefing up of national cybersecurity defences, he has once again let down Australians on their individual cybersafety. It is ridiculous that the Abbott-Turnbull government has failed to pass what should be an uncontroversial measure after three years of government."

Labor has yet to make any commitment to getting the laws passed in a snappy manner, or at all, if they form government.

But the point remains that while Turnbull was more than happy to wave around one big stick yesterday, another, more important one was left behind.

As well as having ever more information stored digitally within businesses and online services, it is particularly galling that Australia is without a data breach-notification scheme when the nation has data-retention laws that allow its approved law-enforcement agencies to warrantlessly access two years' worth of customers' call records, location information, IP addresses, billing information, and other data stored by telcos.

In October, Turnbull called for a mutual respect campaign as the nation's data-retention scheme began.

And yet here we are, six months after having been agiled, nimbled, and innovated to the edge of reason, only to find that instead of forcing companies to own up to breaches, the government has decided that politely suggesting confession is a much better plan of attack.

The lack of respect for value of the private information of the general population is appalling, but only in the realm of letting them know when it is mishandled, not storing and mining it for economic value.

In its submission [PDF] on the government's draft data breach-notification Bill, the Australian Bankers' Association delivered a warning on behalf of its members.

"For banks, there is the possibility that a data breach could involve a very large number of a bank's customers' data and could involve multiple parties," it said.

"Yet to notify all affected customers could lead to or contribute to 'notification fatigue' and, more concerning, customers developing a form of 'immunity' to numerous notifications, particularly where there may not be steps a customer could take to mitigate their own risk."

Given the current state of affairs, I would welcome the opportunity to suffer notification fatigue.

And although the banks may squeal about it, the government does have the power to force them, and the public, to do things they are not supportive of. In the current political climate, it seems the government has forgotten that it is allowed to make decisions in the economic realm that some find unpalatable.

Asking businesses to own up to whether they have been breached is likely to get as far as asking them if any sort of white-collar crime is committed within their business. They are only going to confess when it is the least bad alternative on offer, and until then, they will sit tight.

Editorial standards