V866r2wj 1350616902.jpg?ixlib=rb 1.1

‘You’ve been hacked’: why data-breach reporting should be mandatory

If someone got access to your personal information, wouldn’t you want to know? subcircle/Flickr

‘You’ve been hacked’: why data-breach reporting should be mandatory

In an age of Facebook, eBay and online banking, data privacy is becoming more important than ever before. The majority of Australians have personal information stored online with a range of organisations and companies – information we’d rather the whole world didn’t have access to.

A discussion paper released by federal Attorney-General Nicola Roxon on Wednesday could be a step forward in the fight to keep private data, well, private.

Entitled “Australian Privacy Breach Notification”, the discussion paper asks whether companies and other organisations should be required to report any breaches that occur to personal data they are storing.

You’re getting mail

Only a day after Ms Roxon released the discussion paper we saw a great example of why mandatory data-breach notification is required.

On Thursday Australia Post shut down its electronic parcel tracking service after a computer malfunction exposed the personal details of thousands of customers who were sent parcels. Mandatory data-breach reporting would have required Australia Post to tell customers of the breach immediately, rather than having the message delivered through the media the following day.

Of course, Australia Post is not alone - many large Australian companies and organisations – including Telstra, Defence and Medvet – have suffered data breaches in the recent past.

Time to take privacy seriously

In a press release on Wednesday explaining the motivations behind the new discussion paper, Ms Roxon said:

Australians who transact online rightfully expect their personal information will be protected.

What Ms Roxon didn’t say was the majority of companies don’t seem to take customer privacy very seriously.

Currently, if an Australia company suffers a data or security breach, they are encouraged (but not required) to disclose the details to the Privacy Commissioner.

But the reality is very few companies report data-breach notifications, and the number of reports is dropping. These facts are corroborated by a review of data breaches reported online by customers and in the media.

And, as former hacker Kevin Mitnick told Fairfax on August 9, there’s little motivation for a company to admit they’ve been hacked and had data stolen:

Think about it: if you were running a multi-million dollar company and your database of customer information was stolen would you want to tell your clients? No.

Most [US] companies did not until the laws required them to. It’s in the best interest of organisations - when they’re attacked and information is stolen - to tell nobody.

Consumer confidence

Not everyone is a fan of the proposed mandatory data-breach reporting. The Australian Banking Association (ABA) acting chief, Tony Burke said today that mandatory data breach reporting would lead to:

an unwarranted loss of confidence in Australia’s payment systems to the detriment of all.

Attempting to notify individuals potentially affected could lead to significant levels of community concern, disproportionate to the actual level of risk, which could well be zero.

What Mr Burke does not appear to acknowledge is the fundamental right of every Australian to know if their personal data has been compromised. Australians should be able to select a bank based upon the bank’s record of keeping personal data secure.

Protecting the people

So how would mandatory data-breach reporting help the average consumer?

As Australian Privacy Commissioner Timothy Pilgrim said in a press release on Wednesday:

Where personal information has been compromised, notification can be essential in helping individuals to regain control of that information. For example, an individual can … change passwords or account numbers if they know a data breach has occurred.

If nothing else, it will force companies to let consumers know directly if their information has been compromised – surely better than reading about it in the newspaper the next day or finding out when a criminal uses the information to commit fraud.

What companies will have to do

The possibility of mandatory data-breach notification laws raises the question of impact on Australian organisations. For some the new requirements would have a minimal effect, but for many others there would be need for change.

The first question every Australian company will need to be able to answer is: “If there is a data breach will we recognise that the breach has occurred?”

For many organisations this will not be an easy question to answer. Most Australian companies are connected to the internet using low-cost security devices that are typically set up using default settings.

Professionals are not contracted to monitor the company’s connection to the internet and systems that provide products or services to customers over the internet.

What this means is Australian companies will need to audit every system that interfaces with the internet to ensure security breaches can be identified. Security systems will also need to be able to collect information that can be provided to the authorities if a security breach leads to a data breach.

One approach that should be adopted by Australian companies is to utilise Intrusion Detection Systems (IDS) which are set up, maintained and monitored by appropriately trained network engineers.

Companies will need to adopt a culture that will raise the focus on security and privacy to a level previously not seen in Australia.

The Attorney-General should consider introducing a mandatory annual network and system security audit for all companies or organisations that may be subject to a data breach.

The overseas angle

Most US states now have data-breach notification laws and the US federal government is considering introducing uniform national laws.

Europe is in a similar situation. The existing laws don’t cover all organisations subjected to potential data breaches and only electronic communication providers (carriers) are required to notify regulators and customers of data breaches.

The European Union is also considering laws that would cover all organisations that may be subject to data breaches.

The timing of Ms Roxon’s announcement, considering the aforementioned moves in the US and Europe, may lead to a belief that Australia is acting in concert with legislative changes overseas.

Australia must be prepared to get out in front of other nations because privacy and security reform is long overdue.

Early days

Ms Roxon’s announcement and the release of the discussion paper should be applauded because Australians are being subjected to privacy attacks from all angles.

Examples that we should remember include the Sony PlayStation data breach in which 1.5 million Australian accounts were exposed, and the Google Wi-Fi data harvest.

Of course the discussion paper is just the first step down the path of mandatory data-breach reporting in Australia and many questions remain. Including:

  • who should be notified in the case of a data breach?
  • should penalties apply when an organisation fails to comply?

But as we move forward in this era of online transactions and social media – an era that will feature the NBN and its many opportunities and applications – there’s a need for security and privacy legislation to keep pace.

Most importantly, there’s a need for Australians to feel confident that their personal information is being kept safe by those we entrust it to.

The federal government is seeking submissions following the release of their discussion paper. To have your say, visit the Attorney-General’s website for details. Submissions close November 23.