New mandatory data breach notifications laws in Australia, what does it mean?
A few months ago Australia took the long-overdue step of introducing mandatory data breach notification laws. Most people perform daily transactions online and store their personal details in the hands of many organisations. They entrust them to do the right thing and up until now they have had no obligation to report and admit incidents such as security breaches, data theft and hacks. Incidents which would potentially expose harmful and sensitive information.
Most US states have had similar laws since 2002 . 16 years ago the average internet usage was 46 minutes per day compared to 4 hours per day today. A little start-up company called PayPal was acquired by eBay. To say the laws have been a long time coming would be an understatement. The perils of having your online credentials in the wrong hands have been understood for years, with identity theft the most obvious.
Net Solutions has been around since 1996 and we have observed a huge number of security breaches during this time. Unfortunately most organisations treat security breaches as simply a nuisance of inconvenience. Like receiving a speeding fine, it won’t make you change your habits so you simply get over it an go back to business as usual. With so many organisations online these days, I am simply perplexed at the lack of regard most organisations place on security in their IT systems. I have reported many major breaches to law enforcement agencies including major credit card fraud schemes operating on hacked websites, but since I have had no response from any of them it tells me that they have no interest in changing things and probably consider me a nuisance.
I deal with hacked Websites on a daily basis and its still difficult for people to understand and appreciate the risk this poses. If your site has been hacked, you run the risk of losing more than data – hackers plant back-doors on your site, stealing passwords and credentials, eventually eavesdropping on your emails, then gaining access to your financial data. I have personally dealt with hundreds of such cases. Whats interesting now is that if your website contains any client sensitive or personal data, and you get hacked, you are obliged to report it or face a fine for not doing so.
Website security is rarely if ever considered by typical website designers, many of whom carry out their design work using automated tools, drag and drop applications which require little or no coding and software knowledge and even less knowledge about how to ensure your site is secure. Whats even worse is that many website designers tell there clients that once their website has been designed and handed over, there is nothing you ever need to do to from that point on and updating any plugins and extensions is not required.
Small to medium-sized businesses are prime targets for cyber criminals, which means investing in the best security possible for your website should as much a priority as keeping your insurance up to date. With no government support it simply expands the legal vacuum here which plays perfectly into the hands of hackers. Hackers make a great living, profiting from perpetrating the attacks, knowing that the risk of being prosecuted is less than losing all your money in bonds.
Since there are no legal pressures it allows organisations to minimise their investments in IT and put little or no priority on implementing necessary processes to ensure they minimise risk.
Minister for Law Enforcement and Cyber Security Angus Taylor said that there were 734 cyber incidents affecting private sector systems of “national interest and critical infrastructure providers and the government hopes the new data breach laws will help promote a ‘race to the top’ that will benefit all Australians”. I believe the true number is 10 times that but I do believe the minister when he talks about the threat and increase of cyberchrime.
While the government and the Office of the Information Commissioner, who will manage the reporting of data breaches, have introduced fines of up to $420,000 for individuals and $2.1 million for organisations, I very much doubt that that any fines will be issued and companies will face little or no consequence.
So will Mandatory Reporting change anything?
Well at the moment it’s all just amounts to no more than talking about the subject. Its in the news, it will be trending but it will be back to business as usual for most while some will pay attention. I hope it changes but I don’t believe these reforms will bring Australia into line with other advanced economies because we can only get there by action and consequence.
I know it sounds pessimistic, but given the progress in the last 16 years, will give you a good indication of how we may progress in the next 16 years at worst. We will only improve if there is action and consequence from organisations and if we up the anti for the hackers.
I don’t believe this will have any impact on hackers whose skills have grown tremendously over the 16 years, while we did practically nothing in government policy during that time. Hackers will become more savvy over time so my prediction is that it will be a win win for hackers.
