An insider stealing data causes the company to breach privacy and potentially subjects the company to huge fines under the proposed Compulsory Notification Bill. What happens to the the thief? At the moment nothing if the thief is an employee of the company!

ADMA CEO Jodie Sangster’s recent revelation: “A drop of 18 % for a total of 46 notifications in the year could equally suggest that companies have responded well to his office’s advice on preventing data breaches” is ignorant of the facts.

Many data-breaches are never reported by business owners.

Under the privacy commissioner’s current guidelines persons affected by a data breach should be notified immediately. More often the person receiving the notice contacts the company to question their level of security and to find out what of their information has been compromised.

Recently a Sydney CBD medical practice, under the guidelines of the privacy commissioner, notified patients their data may have been compromised. The notification prompted thousands of abusive calls from patients questioning the centres security with many saying they would never return. In this case patient data was compromised by a long term employee who had conspired with three others to ‘misuse authorised access’ to steal the patient database.

Business owners who know of or have heard of similar experiences will avoid notifying their customers of data-breaches. The 18% drop in total notifications is not a reflection on ADMA’s advice, it is the fear of the detrimental short and long term effects on a business a data-breach report may have.

A recent Kroll Global Fraud Report indicated that over two thirds of corporate frauds are committed by insiders. Even the Attorney-General herself said, at a recent Security Conference in Canberra, “One of the greatest risks to the security of government computer systems is from exploited or corrupted public servants”.

Insider theft of personally identifying information (PII) is at epidemic levels in Australia and will remain so until legislation is passed that will allow Police to charge employees who steal data. PII is very often a business’s most valuable asset and for many is valued in the millions of dollars. If an employee embezzled the same value in cash they would be charged by Police and likely receive a custodial sentence.

If the Attorney General is at all serious about reducing the incidence of data breaches then she needs to propose adequate legislation to protect business and Australian consumers from insider fraud, the most common of all data breaches.

Submitting a band aid Bill that will have little if any effect on preventing data-breaches is ill conceived and falls well short of providing the protections required to meet increasing levels of insider data-breaches.

Facebook is the prime example. Most people – (as the article suggests) – have a lot of personal data out there that they wouldn’t want to see in the hands of other parties.

Problem is, Facebook gives this data out to their business partners, often without our strictest of permissions to do so.

Is this a breach, or not a breach.

Users would think so, Facebook would say “hey, it’s just between us and our business partners, we deliberately gave them this data”.

That’s how fuzzy the line is, and makes this sort of discussion difficult.

An how much “loss of confidence” does Mr Burke think “individuals” will have if they check their account and see large withdrawals from OS that the “individual” hasn’t authorized? Especially if the bank knew the system had been breached?

Seems to me they are more interested in “increasing value to shareholders” by keeping their privacy section minimally staffed and avoiding potentially damaging reports. Shame their actual clients don’t figure in to the equation…

The sooner DBN because law, the better for all, and if businesses are that worried and against it, it sure as hell does not say much for the confidence they have of their own code, so why should we!

Maybe its time to get rid of the incompetent devs and hire fresh blood who know what they are doing.