In an age of Facebook, eBay and online banking, data privacy is becoming more important than ever before. The majority of Australians have personal information stored online with a range of organisations and companies – information we’d rather the whole world didn’t have access to.
A discussion paper released by federal Attorney-General Nicola Roxon on Wednesday could be a step forward in the fight to keep private data, well, private.
Entitled “Australian Privacy Breach Notification”, the discussion paper asks whether companies and other organisations should be required to report any breaches that occur to personal data they are storing.
You’re getting mail
Only a day after Ms Roxon released the discussion paper we saw a great example of why mandatory data-breach notification is required.
On Thursday Australia Post shut down its electronic parcel tracking service after a computer malfunction exposed the personal details of thousands of customers who were sent parcels. Mandatory data-breach reporting would have required Australia Post to tell customers of the breach immediately, rather than having the message delivered through the media the following day.
Of course, Australia Post is not alone – many large Australian companies and organisations – including Telstra, Defence and Medvet – have suffered data breaches in the recent past.
Time to take privacy seriously
In a press release on Wednesday explaining the motivations behind the new discussion paper, Ms Roxon said:
Australians who transact online rightfully expect their personal information will be protected.
What Ms Roxon didn’t say was the majority of companies don’t seem to take customer privacy very seriously.
Currently, if an Australia company suffers a data or security breach, they are encouraged (but not required) to disclose the details to the Privacy Commissioner.
But the reality is very few companies report data-breach notifications, and the number of reports is dropping. These facts are corroborated by a review of data breaches reported online by customers and in the media.
And, as former hacker Kevin Mitnick told Fairfax on August 9, there’s little motivation for a company to admit they’ve been hacked and had data stolen:
Think about it: if you were running a multi-million dollar company and your database of customer information was stolen would you want to tell your clients? No.
Most [US] companies did not until the laws required them to. It’s in the best interest of organisations – when they’re attacked and information is stolen – to tell nobody.
Consumer confidence
Not everyone is a fan of the proposed mandatory data-breach reporting. The Australian Banking Association (ABA) acting chief, Tony Burke said today that mandatory data breach reporting would lead to:
an unwarranted loss of confidence in Australia’s payment systems to the detriment of all.
Attempting to notify individuals potentially affected could lead to significant levels of community concern, disproportionate to the actual level of risk, which could well be zero.
What Mr Burke does not appear to acknowledge is the fundamental right of every Australian to know if their personal data has been compromised. Australians should be able to select a bank based upon the bank’s record of keeping personal data secure.
Protecting the people
So how would mandatory data-breach reporting help the average consumer?
As Australian Privacy Commissioner Timothy Pilgrim said in a press release on Wednesday:
Where personal information has been compromised, notification can be essential in helping individuals to regain control of that information. For example, an individual can … change passwords or account numbers if they know a data breach has occurred.
If nothing else, it will force companies to let consumers know directly if their information has been compromised – surely better than reading about it in the newspaper the next day or finding out when a criminal uses the information to commit fraud.
What companies will have to do
The possibility of mandatory data-breach notification laws raises the question of impact on Australian organisations. For some the new requirements would have a minimal effect, but for many others there would be need for change.
The first question every Australian company will need to be able to answer is: “If there is a data breach will we recognise that the breach has occurred?”
For many organisations this will not be an easy question to answer. Most Australian companies are connected to the internet using low-cost security devices that are typically set up using default settings.
Professionals are not contracted to monitor the company’s connection to the internet and systems that provide products or services to customers over the internet.
What this means is Australian companies will need to audit every system that interfaces with the internet to ensure security breaches can be identified. Security systems will also need to be able to collect information that can be provided to the authorities if a security breach leads to a data breach.
One approach that should be adopted by Australian companies is to utilise Intrusion Detection Systems (IDS) which are set up, maintained and monitored by appropriately trained network engineers.
Companies will need to adopt a culture that will raise the focus on security and privacy to a level previously not seen in Australia.
The Attorney-General should consider introducing a mandatory annual network and system security audit for all companies or organisations that may be subject to a data breach.
The overseas angle
Most US states now have data-breach notification laws and the US federal government is considering introducing uniform national laws.
Europe is in a similar situation. The existing laws don’t cover all organisations subjected to potential data breaches and only electronic communication providers (carriers) are required to notify regulators and customers of data breaches.
The European Union is also considering laws that would cover all organisations that may be subject to data breaches.
The timing of Ms Roxon’s announcement, considering the aforementioned moves in the US and Europe, may lead to a belief that Australia is acting in concert with legislative changes overseas.
Australia must be prepared to get out in front of other nations because privacy and security reform is long overdue.
Early days
Ms Roxon’s announcement and the release of the discussion paper should be applauded because Australians are being subjected to privacy attacks from all angles.
Examples that we should remember include the Sony PlayStation data breach in which 1.5 million Australian accounts were exposed, and the Google Wi-Fi data harvest.
Of course the discussion paper is just the first step down the path of mandatory data-breach reporting in Australia and many questions remain. Including:
- who should be notified in the case of a data breach?
- should penalties apply when an organisation fails to comply?
But as we move forward in this era of online transactions and social media – an era that will feature the NBN and its many opportunities and applications – there’s a need for security and privacy legislation to keep pace.
Most importantly, there’s a need for Australians to feel confident that their personal information is being kept safe by those we entrust it to.
The federal government is seeking submissions following the release of their discussion paper. To have your say, visit the Attorney-General’s website for details. Submissions close November 23.
Tim Scanlon
Debunker
I think the penalties have to match the crime as well. We've seen countless examples of wrist slaps for credit card theft, one here in WA was for 50,000 cards at a value of a few million dollars in credit and even more in identity theft, the thief didn't even get a decent fine.
For my home security I've labelled my wi-fi "CIA Black Site". So far I've had no problems with hackers.
Jay Wulf
Consultant
You know you can disable WIFI ssid (name) broadcasts?
Clever names like this are nothing by narcissistic jokes.
Defense in depth if you are serious about it.
N.B. 'no problem with hackers' comment marks you as a non-INFOSEC person, real hackers of the really nasty kind try not to leave signs they compromised your computer. Computer vandals are another thing...
Yoron Hamber
Thinking
A hacker is someone fascinated with computers, digital information, and the sense of outwitting security. Most do nothing more than prove to themselves that they 'can' bypass your security. Some will leave a mess telling you that you've been hacked, meaning that they found it easier than you expected to get in, must to warn you. Then you have idiots calling themselves hackers that just brute force, and then those coming from poverty wanting money/power of some kind, and to those you in some cases can add 'supported through their governments' as the Russian FBS are alleged to do.Then we have those payed by the government, as working for NSA, and then we have the 'crackers' whose joy seems to be in destroying whatever information/system you have. and then you can combine all of the above into whatever suits ones need.
But old time hackers are supposed to have a ethic. And i agree, a name as CIA will most probably invite you as a target. Better to hide your wifi, and encrypt it.
Yoron Hamber
Thinking
Sorry, my spelling isn't the best up there, is it :)
'must' should be read as 'most'
and
FBS= FSB (Federal'naya sluzhba bezopasnosti Rossiyskoy Federatsii) is the new Federal Security Service of the Russian Federation, formerly KGB.
NSA and Echelon should be well known in Australia as you have some facilities used by them.
Yoron Hamber
Thinking
http://en.wikipedia.org/wiki/ECHELON .. Not to be confused with Echelon Australia that according to themselves 'provides innovative, customised risk consulting solutions' :)
Mark A. Lane
logged in via LinkedIn
Interesting retort, looking forward to reading the responses to the discussion paper.
You might want to change your WIFI Tim : http://en.wikipedia.org/wiki/Black_site ...;)
Jay Wulf
Consultant
There is adequate security legislation already in place.
However having worked in health Infosec I have found an amazing WILLFUL ignorance not to do anything about it. Why? Because it is expensive and complicates matters and is 'unlikely'to happen.
The mindesets of CEO and Directors is basically a calculation.
Likelyhood of occuring vs cost.
Rare high consequence events. Basically (one) of the root causes of the GFC, same calculated reasoning.
Security noncompliance is not an accident, its highly reasoned cost saving measure.
Data Theft
logged in via Twitter
Insider theft of personally identifying information and IP is at epidemic levels in Australia and will remain so until legislation is passed that will allow Police to charge employees who steal data. If an employee embezzled the same value in cash they would be charged by Police and likely receive a custodial sentence.
If the Attorney General is at all serious about reducing the incidence of data breaches then she needs to propose adequate legislation to protect business and Australian consumers from insider fraud, the most common of all data breaches.