Australian organisations that have been able to self manage their IT indiscretions and security breaches may soon be legally obliged to disclose them when the mandatory data breach notification scheme comes into effect on February 22.
After many failed attempts and numerous governments, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed through the federal parliament earlier this year, meaning businesses, service providers and government agencies subject to the Privacy Act will soon need to report when their systems have been compromised due to technical shortcomings or cyber attack.
Given the recent number of data breaches, such as last year’s Australian Red Cross Blood Bank Service breach in which the details of many donors were exposed online, many believe the legislation is long overdue. So much so the bill gained support from all sides of parliament.
It is a clear message that regulation is required to keep the interests of the community at the forefront of business practices. It also reaffirms that an individual has the right to privacy, and whoever collects, processes and stores private information has a responsibility to secure it.
Who will be affected?
The bill applies to organisations that have responsibilities under the Privacy Act, including Australian Government agencies, not-for-profit organisations and businesses with an annual turnover of more than $3 million.
But the Privacy Act also applies to some types of businesses with an annual turnover of $3 million or less, including:
- Private sector health services providers - even alternative medicine practices, gyms and weight loss clinics fall under this category
- Childcare centres, private schools and private tertiary educational institutions
- Businesses that sell or purchase personal information along with credit reporting bodies.
The bill stipulates disclosure is required following an “eligible data breach”, which is defined by the belief an individual is at “risk of serious harm" due to the disclosure of their personal information.
Some have argued an organisation’s ability to internally evaluate what constitutes risk of serious harm is providing an opportunity for some organisations to get around the bill’s mandatory disclosure requirements based on interpretation. This opportunity may exist but organisations need to tread carefully as blatant disregard and avoidance will be identified and organisations will be held accountable.
Notifications and penalties
Where an organisation has identified a breach they are required to notify the Privacy Commissioner and affected customers within 30 days. As detailed in the bill, failure to comply with the new notification scheme will be "deemed to be an interference with the privacy of an individual" and there will be consequences:
“A civil penalty for serious or repeated interferences with the privacy of an individual will only be issued by the Federal Court or Federal Circuit Court of Australia following an application by the [Privacy] Commissioner. Serious or repeated interferences with the privacy of an individual attract a maximum penalty of $360,000 for individuals and $1,800,000 for bodies corporate.”
Claims of notification fatigue and heavy handedness
Critics and opponents of the bill claim organisations will be overwhelmed with reporting requirements resulting in notification fatigue. They say an unreasonable compliance burden would see organisations having difficulty understanding their obligations.
Some may argue these critics have an inability to grasp what is required in this digital age. The game has changed, the risks have intensified. The stakes have never been higher and our nation’s assets never more under cyber threat.
There is no doubt the bill will introduce additional workloads and complexity for some organisations but this is simply the cost of doing business in the digital age. The upside of the online economy far outweighs any additional reporting requirements.
Emerging IT trends only heighten concerns and the Internet of Things will blow the door off current ideas of what constitutes a target, introducing risks of breach and disclosure that for many still seem unimaginable. The issues facing medical service providers are of specific concern. The depth of community engagement, the type of data collected and the criticality of the services provided will see the pervasiveness of the mandatory data breach notification scheme come to life in real terms.
Health providers need to get their processes and controls in order. “Serious harm” within a medical context means genuine ramifications and considerable penalties in the event of a breach.
Take it as a positive
Organisations should view the introduction of this legislation as a benefit in terms of their cyber security efforts. It’s an opportunity to align people, processes and technology to ensure better compliance and more effective security controls to combat cyber attacks and emerging threats. This legislation will provide clarity of purpose, and it will help senior executives identify where their security dollars should be spent - and why.
Alan Mihalic is a Cyber Security Advisor at Norman Disney & Young and chair of the working group Cyber Smart Buildings at the Internet of Things Security Foundation (IOTSF).