Why data breach reporting should be mandatory


This article is by Mark Gregory, a senior lecturer in Electrical and Computer Engineering at RMIT University. It was first published on The Conversation and is re-published here with permission.

analysis In an age of Facebook, eBay and online banking, data privacy is becoming more important than ever before. The majority of Australians have personal information stored online with a range of organisations and companies – information we’d rather the whole world didn’t have access to.

A discussion paper released by federal Attorney-General Nicola Roxon on Wednesday could be a step forward in the fight to keep private data, well, private. Entitled “Australian Privacy Breach Notification”, the discussion paper asks whether companies and other organisations should be required to report any breaches that occur to personal data they are storing.

Only a day after Ms Roxon released the discussion paper we saw a great example of why mandatory data-breach notification is required. On Thursday Australia Post shut down its electronic parcel tracking service after a computer malfunction exposed the personal details of thousands of customers who were sent parcels. Mandatory data-breach reporting would have required Australia Post to tell customers of the breach immediately, rather than having the message delivered through the media the following day.

Of course, Australia Post is not alone – many large Australian companies and organisations – including Telstra, Defence and Medvet – have suffered data breaches in the recent past.

In a press release on Wednesday explaining the motivations behind the new discussion paper, Ms Roxon said: “Australians who transact online rightfully expect their personal information will be protected.” What Ms Roxon didn’t say was the majority of companies don’t seem to take customer privacy very seriously. Currently, if an Australia company suffers a data or security breach, they are encouraged (but not required) to disclose the details to the Privacy Commissioner.

But the reality is very few companies report data-breach notifications, and the number of reports is dropping. These facts are corroborated by a review of data breaches reported online by customers and in the media.

And, as former hacker Kevin Mitnick told Fairfax on August 9, there’s little motivation for a company to admit they’ve been hacked and had data stolen: “Think about it: if you were running a multi-million dollar company and your database of customer information was stolen would you want to tell your clients? No. Most [US] companies did not until the laws required them to. It’s in the best interest of organisations – when they’re attacked and information is stolen – to tell nobody.”

Not everyone is a fan of the proposed mandatory data-breach reporting. The Australian Banking Association (ABA) acting chief, Tony Burke said today that mandatory data breach reporting would lead to: “… an unwarranted loss of confidence in Australia’s payment systems to the detriment of all. Attempting to notify individuals potentially affected could lead to significant levels of community concern, disproportionate to the actual level of risk, which could well be zero.”

What Mr Burke does not appear to acknowledge is the fundamental right of every Australian to know if their personal data has been compromised. Australians should be able to select a bank based upon the bank’s record of keeping personal data secure.

So how would mandatory data-breach reporting help the average consumer? As Australian Privacy Commissioner Timothy Pilgrim said in a press release on Wednesday: “Where personal information has been compromised, notification can be essential in helping individuals to regain control of that information. For example, an individual can … change passwords or account numbers if they know a data breach has occurred.”

If nothing else, it will force companies to let consumers know directly if their information has been compromised – surely better than reading about it in the newspaper the next day or finding out when a criminal uses the information to commit fraud.

The possibility of mandatory data-breach notification laws raises the question of impact on Australian organisations. For some the new requirements would have a minimal effect, but for many others there would be need for change. The first question every Australian company will need to be able to answer is: “If there is a data breach will we recognise that the breach has occurred?”

For many organisations this will not be an easy question to answer. Most Australian companies are connected to the internet using low-cost security devices that are typically set up using default settings. Professionals are not contracted to monitor the company’s connection to the internet and systems that provide products or services to customers over the internet. What this means is Australian companies will need to audit every system that interfaces with the internet to ensure security breaches can be identified. Security systems will also need to be able to collect information that can be provided to the authorities if a security breach leads to a data breach.

One approach that should be adopted by Australian companies is to utilise Intrusion Detection Systems (IDS) which are set up, maintained and monitored by appropriately trained network engineers. Companies will need to adopt a culture that will raise the focus on security and privacy to a level previously not seen in Australia. The Attorney-General should consider introducing a mandatory annual network and system security audit for all companies or organisations that may be subject to a data breach.

Most US states now have data-breach notification laws and the US federal government is considering introducing uniform national laws. Europe is in a similar situation. The existing laws don’t cover all organisations subjected to potential data breaches and only electronic communication providers (carriers) are required to notify regulators and customers of data breaches. The European Union is also considering laws that would cover all organisations that may be subject to data breaches.

The timing of Ms Roxon’s announcement, considering the aforementioned moves in the US and Europe, may lead to a belief that Australia is acting in concert with legislative changes overseas. Australia must be prepared to get out in front of other nations because privacy and security reform is long overdue.

Ms Roxon’s announcement and the release of the discussion paper should be applauded because Australians are being subjected to privacy attacks from all angles. Examples that we should remember include the Sony PlayStation data breach in which 1.5 million Australian accounts were exposed, and the Google Wi-Fi data harvest.

Of course the discussion paper is just the first step down the path of mandatory data-breach reporting in Australia and many questions remain. Including: Who should be notified in the case of a data breach? Should penalties apply when an organisation fails to comply? But as we move forward in this era of online transactions and social media – an era that will feature the NBN and its many opportunities and applications – there’s a need for security and privacy legislation to keep pace. Most importantly, there’s a need for Australians to feel confident that their personal information is being kept safe by those we entrust it to.

The federal government is seeking submissions following the release of their discussion paper. To have your say, visit the Attorney-General’s website for details. Submissions close November 23.

Mark Gregory does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations. This article was originally published at The Conversation. Read the original article.

The Conversation


  1. huh? The banks are worried we’ll have little confidence in them? oh thats right, the banks still live in 1970, once they have their morning coffee they’ll realise hardly anyone has faith or confidence in them, just look at the lies they tell us to justify their refusal to pass on full reserve bank cuts, yet we hear from international experts saying their costs have actually reduced, and its proved still, every qtr, when they continue to make record profits.

    The sooner DBN because law, the better for all, and if businesses are that worried and against it, it sure as hell does not say much for the confidence they have of their own code, so why should we!

    Maybe its time to get rid of the incompetent devs and hire fresh blood who know what they are doing.

  2. “Tony Burke said today that mandatory data breach reporting would lead to: “… an unwarranted loss of confidence in Australia’s payment systems to the detriment of all. Attempting to notify individuals potentially affected could lead to significant levels of community concern, disproportionate to the actual level of risk, which could well be zero.””

    An how much “loss of confidence” does Mr Burke think “individuals” will have if they check their account and see large withdrawals from OS that the “individual” hasn’t authorized? Especially if the bank knew the system had been breached?

    Seems to me they are more interested in “increasing value to shareholders” by keeping their privacy section minimally staffed and avoiding potentially damaging reports. Shame their actual clients don’t figure in to the equation…

  3. This all depends on what you call a “breach”.

    Facebook is the prime example. Most people – (as the article suggests) – have a lot of personal data out there that they wouldn’t want to see in the hands of other parties.

    Problem is, Facebook gives this data out to their business partners, often without our strictest of permissions to do so.

    Is this a breach, or not a breach.

    Users would think so, Facebook would say “hey, it’s just between us and our business partners, we deliberately gave them this data”.

    That’s how fuzzy the line is, and makes this sort of discussion difficult.

  4. OCT
    Compulsory data-breach notification will do nothing to protect Australians
    Attorney General Nicola Roxons’ proposed compulsory data breach notification does not address the real issues facing Australian consumers and business. There is no evidence that compulsory notification will protect Australians and frankly any notification of a breach is usually too late anyway. If there is going to be compulsory notification there also needs to tough legislation to deal with the persons who steal the data.

    An insider stealing data causes the company to breach privacy and potentially subjects the company to huge fines under the proposed Compulsory Notification Bill. What happens to the the thief? At the moment nothing if the thief is an employee of the company!

    ADMA CEO Jodie Sangster’s recent revelation: “A drop of 18 % for a total of 46 notifications in the year could equally suggest that companies have responded well to his office’s advice on preventing data breaches” is ignorant of the facts.

    Many data-breaches are never reported by business owners.

    Under the privacy commissioner’s current guidelines persons affected by a data breach should be notified immediately. More often the person receiving the notice contacts the company to question their level of security and to find out what of their information has been compromised.

    Recently a Sydney CBD medical practice, under the guidelines of the privacy commissioner, notified patients their data may have been compromised. The notification prompted thousands of abusive calls from patients questioning the centres security with many saying they would never return. In this case patient data was compromised by a long term employee who had conspired with three others to ‘misuse authorised access’ to steal the patient database.

    Business owners who know of or have heard of similar experiences will avoid notifying their customers of data-breaches. The 18% drop in total notifications is not a reflection on ADMA’s advice, it is the fear of the detrimental short and long term effects on a business a data-breach report may have.

    A recent Kroll Global Fraud Report indicated that over two thirds of corporate frauds are committed by insiders. Even the Attorney-General herself said, at a recent Security Conference in Canberra, “One of the greatest risks to the security of government computer systems is from exploited or corrupted public servants”.

    Insider theft of personally identifying information (PII) is at epidemic levels in Australia and will remain so until legislation is passed that will allow Police to charge employees who steal data. PII is very often a business’s most valuable asset and for many is valued in the millions of dollars. If an employee embezzled the same value in cash they would be charged by Police and likely receive a custodial sentence.

    If the Attorney General is at all serious about reducing the incidence of data breaches then she needs to propose adequate legislation to protect business and Australian consumers from insider fraud, the most common of all data breaches.

    Submitting a band aid Bill that will have little if any effect on preventing data-breaches is ill conceived and falls well short of providing the protections required to meet increasing levels of insider data-breaches.

Comments are closed.