weerapat1003 - stock.adobe.com

Australia’s Notifiable Data Breaches scheme drives compliance but issues remain

Australia’s data breach notification rules have largely been complied with, but some quarters are calling for more clarity on the reporting threshold and tougher action against errant firms

This article can also be found in the Premium Editorial Download: CW ANZ: CW ANZ: Trend Watch – Security

When Australian startup unicorn Canva confessed to a data breach in May, it took a curious approach to alerting customers to the incident.

It sent its users an email – but the first paragraph heralded the design platform’s latest product news. Only those who read on to the second paragraph learned of the hack.

This was a significant breach – the names and email addresses of 139 million users were exposed, and the hacker viewed “partial credit card and payment details”, although the company found no evidence that this information was stolen.

It did, however, alert the authorities – including the US Federal Bureau of Investigation (FBI).

“We are deeply sorry that this has happened,” said Sebastian Walsh, Canva’s head of security. “Everyone at Canva has been on the receiving end of updates like this, and at a personal level, we know how upsetting it can be. We want to rebuild and regain the trust you have given us and will work hard to earn it.”

The problem is that trust in Australia is at a low ebb. The 2018 Edelman Trust Barometer revealed that public trust is stagnating – Australians’ level of trust was ranked 40th in the world, putting the country in the lower quarter of the 28-market study.

The week before Canva realised it had been hacked, Australia’s information and privacy commissioner, Angelene Falk, made a speech to mark the start of Privacy Week and to examine Australian enterprises’ track record with respect to the Notifiable Data Breaches scheme.

In the 12 months to the end of March 2019, the Office of the Australian Information Commissioner (OAIC) received reports of 964 eligible data breaches, of which 60% were malicious or criminal. Spear phishing was the leading cause, and more than one-third of breaches were prompted by human error.

The OAIC received a further 168 voluntary notifications, in which the threshold of “serious” data breach was not reached or the organisation was not subject to the regulation. It also claimed a 712% increase in notifications since the scheme began in February 2018.

“Our approach in the first year of the scheme has been to drive awareness of entities’ obligations and the causes of data breaches to support better practices,” said Falk.

Even so, she noted that further regulatory action had been necessary and she has “issued a direction-to-comply notification where we uncovered a failure to notify individuals”.

But that was not enough for Phil Kernick, chief technology officer of CQR Consulting, who said he was “a tad cynical about such things”.

“This has achieved entirely what was expected – which is almost nothing,” he added.

Kernick said that although data breaches were reported, the affected companies suffered no reputational damage because their names were not disclosed by the OAIC, and none had been fined.

“Unless they take a sizeable business to the Federal Court and fine it a substantial about of money, nothing will happen,” said Kernick.

In her speech, Falk noted that some people would like to see “greater user of the regulatory stick” by naming and shaming companies that have incurred a breach.

At present, that is not on the cards, although Falk acknowledged that “increased calls to our inquiry line and the exponential growth in complaints are a clear indicator that the community expects more”.

Kernick said one thing the community ought to expect is greater clarity about the definition of “significant harm”, which is the threshold for companies reporting personal data breaches. At the moment, it is left up to companies to decide what constitutes significant harm.

“The significant harm barrier is too vague,” said Kernick, adding that some companies are disclosing breaches from an abundance of caution, but overall he believes only about one-third of all eligible data breaches in Australia are being reported.

Kernick also called for disclosure rules to apply to breaches of sensitive information as defined under the Privacy Act. “That would take it out of the companies’ hands to self-assess,” he said.

Read more about cyber security in Australia

Self-assessment led property valuation company Landmark White to decide that a cyber security breach it experienced recently – which exposed PDF documents detailing property valuations – did not warrant disclosure under data breach notification rules.

But it still alerted the OAIC to the incident, which differed from another incident earlier this year that exposed the personal information of its clients, including names and addresses. Some affected clients suspended their relationship with Landmark White, which also paused trading on the Australian Stock Exchange from February to May 2019.

Simon Howe, director of sales for LogRhythm in Australia and New Zealand, said it was important to remember that in the search for cyber security, regulation and compliance alone will not fix the problem – although that adds to the justification for companies to invest in cyber security.

“It adds to the argument internally,” he said. “Compliance is not the final solution, but it helps.”

As for Australia’s Notifiable Data Breaches scheme’s first year,  Howe said: “I don’t know that there was an expectation that there would be sudden change, but it is relevant and is helping to drive attention to the issue.”

But what is still lacking are the resources and skills to tackle cyber security properly, said Howe.

“Companies are still up against a limited supply of people that can help you do this, and where there are people, they are expensive,” he said. “A broad positive is that there is a lot of technology and focus around orchestration automation and collaboration to do this more easily.”

But the race for enterprises to protect their customers is intense. According to IDC, the average time between a data breach and the misuse of a person’s credential is less than 10 days.

Under the Notifiable Data Breaches scheme, companies are expected to report within 30 days or show good reason why they are not doing so.

Companies needing to comply with Europe’s much stricter General Data Protection Regulation have just 72 hours to notify the authorities of a breach. Failure to comply risks a fine of €20m or up to 4% of the company’s global revenues, whichever is greater.

But CQR Consulting’s Kernick is not convinced there is currently the political will in Australia to shift the dial on data breach reporting.

What would light a fire and drive tougher reforms, he said, is “if the parliamentary network was attacked by a criminal gang, or a private school in a nice part of Sydney, where politicians send their kids, was breached”.

“There will need to be self-interest,” he added.

Read more on Regulatory compliance and standard requirements