What do the new data breach laws mean for your business?

After a series of false starts, the senate has finally passed new data breach laws that force Australian businesses to notify the Australian Information Commissioner of any cyber attacks. The Notifiable Data Breaches Bill, which passed the Senate on 22^nd February 2017 will be enacted into law on 22^nd February 2018 and includes any business or organisation that is accountable under the Privacy Act.

Whilst still controversial, this new law brings Australia into alignment with other countries, who have had the similar data breach requirements for many years, notably the USA who have had these laws for the past 15 years. The belief among many industry heads is that these laws will provide Australians with greater clarity concerning the privacy of their personal information.

Controversy over the new data breach laws

Former Telstra chief information security officer Mike Burgess, who is now an independent strategic cyber security adviser, said he hoped the new laws would lead to cyber security becoming a priority in the boardroom.

Burgess has said that opponents of the legislation, which have included the Australian Industry Group and Association of Data-driven Marketing and Advertising, were wrong to suggest that Australians would end up ignoring any breach notifications, due to ‘notification fatigue’.

However, because of the lack of reporting requirements for data breaches in Australia, it is impossible to say how often Australian organisations have been in a position where private customer data has been exposed. Whether consumers will suffer from ‘notification fatigue’ or not in the future, Macquarie Telecom Group CEO David Tudehope has said the new legislation is a big step forward in keeping consumers in the loop about potential threats to their private information. 

“Consumers need to know promptly when their data may have been lost in a serious breach so they can take their own remedial action,” he said.

“Every day there are reports of new incidents of unauthorised disclosures of private and personal information … Making greater transparency a legal obligation means all boards and management teams know that trying to sweep problems under the carpet is no longer an option.”

Labor senator Lisa Singh hit out at the government for preventing the disclosure requirements from coming into force years earlier, despite supporting the new legislation. In fact, Senator Singh proposed similar legislation in 2014, which was filibustered by the Coalition. Senator Singh said that people had a right to know if their privacy had been breached and that the Turnbull Government should apologise for keeping victims in the dark, in order to avoid passing legislation previously proposed by Labor. 

“Numerous breaches have left Australians exposed while this government was happy to delay. Yahoo, Telstra, and the Department of Immigration have released the personal details of thousands of Australians since 2014, without having any requirement to notify the victims,” Senator Singh said.

“The Coalition government’s obsession with playing politics has led to an unnecessary three-year delay in progressing this legislation and protecting victims.”

Unclear reporting parameters

Data breaches that need to be reported to the Australian Information Commissioner under the new legislation are defined as those where there is an unauthorised access, disclosure or loss of personal information held by an entity, which is likely to result in ‘serious harm’ to owners of the breached information. However, questions have arisen about the definition of ‘serious harm’ and Mike Burgess has pointed out that there is every chance that the definition could vary between consumers and businesses.

Concerning the definition of ‘serious harm’, Steve Ingram, the PwC Asia Pacific cyber lead partner, has said that organisations should take the new legislation as a chance to define or refresh their cyber strategy. He said this required organisations to take cyber attacks seriously and for the market to be mature in its understanding that breaches could happen to anyone.

“It is not just about putting new software in place, but to also take time to define what a breach is and then who is responsible for managing and containing the breaches and alerting the customers,” he said.

“As much as some organisations are nervous about this, it does and will happen to everyone and the sooner we talk about it publicly, the sooner we’ll increase the maturity of the market.”

How will organisations deal with these new laws?

The Office of the Australian Information Commissioner received 107 voluntary data breach notifications during 2015 to 2016 with the main notifier being the federal government, followed by the financial services sector. However, it is likely these notifications will increase significantly once the new legislation is enacted in early 2018.

Timothy Pilgrim, the Australian Information and Privacy Commissioner, has stated that his office would be advised of any notifications and would determine if further action was needed.

“The new scheme will strengthen the protections afforded to everyone’s personal information, and will improve transparency in the way that the public and private sectors respond to serious data breaches,” he said.

Rajiv Shah BAE Systems cyber, intelligence and security director, has said that the passing of the laws should stimulate a culture of information sharing.

“The Notifiable Data Breaches Bill shows clear leadership, crucial to breaking down an existing culture of denial as to the scope and scale of cyber attacks, which is hampering efforts to combat the activities of cyber criminals,” he said.

You can find out more about the new data breach legislation on the Office of the Australian Information Commissioner website: https://www.oaic.gov.au/media-and-speeches/statements/mandatory-data-breach-notification