Mandatory data breach notification laws would result in greater security for Australians and improved protection of their sensitiveinformation. And it’s what Australian consumers want. Public concern about data breaches, online privacy and identity fraud is on the rise and Australians are taking cyber security seriously.
According to the Unisys Security Index conducted by Newspoll, public concerns have hit their highest level in five years. In Australia, the overall index increased 19 points to 129 over the previous year, with increases in all types of security concerns tracked. The 2013 TrustWave Global Security report highlighted that Australia is the second largest target for cybercriminals, second only to the United States. So the question is why we wouldn’tmake data breach notification mandatory, when it’s what the Australian public want, it’stheir businesses and their data that we ultimately wish to protect.
A mandatory data breach notification law will encourage businesses to protect themselves from significant financial losses and the silent epidemic affecting companies in Australia, Europe and the United States.Since 2008, companies have been encouraged to comply with the OAIC’s voluntary guide on data breach notification, whereby affected individuals and the OAIC should be notified where there is a “risk of serious harm resulting from a data breach.”
In theory, businesses should already have policies and procedures in place to ensure the information they hold is protected from data breach attacks, including notification where there is a risk of serious harm to affected individuals. In practice,however the data paints an entirely different story, the occurrence and costs of cybercrime continues to grow significantly, while the number of events reported has actually declined.
So the next question is, if companies are supposed to have policies and procedures in place to inform clients of incidents why not make it mandatory? This will ensure our personal information is protected by all and not just by a few.
Opponents to the data breach notification law are sighting spurious arguments against proposed data breach notification laws, somehow believing that sticking our heads in the sand against a wave of data crime will somehow facilitate innovation and protection. Blocking the much needed law won’t stimulate innovation or result in increased protection of our sensitive financial information, it will do the opposite.
Why is it that our banks mandate that the minute we find out our credit cards have been lost or stolen we must notify the bank immediately to avoid the risk of financial damage, while a company that losses my credit card data or lets it get into the hands of cybercriminals does not have the same obligation? Companies that do not tell me about a breach in essence are stopping me from notifying my bank promptly by withholding the information, and it’s my money and personal identity that’s at risk. In essence by withholding the breach they are assisting the criminals.
Other arguments against the law are equally weak: one being that the privacy commissioner doesn’t have the resources to investigate each case. Does that mean speeding laws shouldn’t be in place because the police can’t be everywhere prosecuting every driver throughout Australia, of course not. It’s about setting standards and encouraging good practice, to protect us all.
The act would encourage businesses to protect themselves from the growing wave of cybercrime, protecting their brand, their customers and themselves from financial loss, this will stimulate innovation and security initiatives. Securing a business does incur costs of course but not protecting your business appropriately could cost you your clients, your reputation and ultimately your business.
The global landscape is changing and changing fast and it’s the Australian government’s responsibility to educate and encourage protection in these changing times. The extent of this threat is highlighted by Interpol’sPresident when he stated that organised international gangs are behind most Internet scams and that cybercrime’s estimated cost is more than that of cocaine, heroin and marijuana trafficking put together.
Consumers have a right to be informed when their personal data has been lost or stolen. Mandatory notification would be a clear benefit to all Australians – both by providing consumers with information about organisations with poor data breach histories and by providing an incentive for organisations to improve their data handling practices.
The fact that consumers are not being notified when their data is stolen is unacceptable. It also points to the fact that currently, we just don’t know how many breaches there are, how big they are and who they’re affecting. Consumers can’t be sure what’s happening to their information and they have a right to know.
Thanks to the media and research institutes, here are just a few examples that made it into the public domain:
- In 2013 38 Million Adobe customers affected
- In 2013 70 Million Target customers were impacted by malware attacks on POS devices
- In 2013, almost 10,000 Telstra customer records were made public on the Internet, in circumstances similar to the 2011 incident.
- In 2013 access to usernames, e-mail addresses, session tokens and encrypted/salted versions of passwords for 250,000 Twitter accounts.
- Ponemon Institute Cost of Cybercrime study (2012) indicated that the cost of cybercrime to studied Australian companies was over three million dollars.
- In 2012, AAPT’s servers were attacked by the group “Anonymous”.
- In late 2011, over 700,000 Telstra customer records were made publicly accessible over the internet.
- In early 2011, the Sony PlayStation Network was compromised, with approximately 77 million customers affected worldwide.
- In late 2010, a mailing list error resulted in 220,000 letters with incorrect mailing addresses being mailed to Telstra customers.
- In 2009, a design flaw resulted in the online chat transcripts of a depression counselling service being made publicly accessible.