The theory and practice of mandatory data breach reporting legislation.
Reporting a data breach that carries a “real risk of serious harm” are now mandatory under the Australian Government’s recently enacted Privacy Amendment (Notifiable Data Breaches) Bill 2016. )
Any data breach notification legislation, such as this, puts organisations on notice that any data privacy breaches are to be taken very seriously – with stiff penalties for non compliance.
Having a warning triggered on the misuse of personal data is a key control in helping to assure your privacy in cyberspace. Raising the alert immediately, while not preventing the event itself, may mitigate its propagation.
All well and good, in theory at least. How practically this can be achieved in our highly connected and rapidly changing digital world is altogether another matter.
The power of stealth
Managing data breaches is a no trivial task. According to a 2013 report, data breaches are often not discovered for months — or even years. This presents a real challenge for organisations where the breach may have occurred and the perpetrator has long since moved on.
Of greater relevance to mandatory data breach reporting is that the majority, close to 70%, of breaches were reported not by the organisations themselves, but by an external party.
The stellar cast of data breaches is impressive and seemingly never ending:
- On February 14 this year, media group Forbes had more than a million names, email addresses, usernames, and passwords stolen by the Syrian Electronic Army;
- On February 8 this year, Barclays Bank had 27,000 customer files containing names, addresses, passport numbers, and national insurance numbers, as well as information regarding health issues, insurance policies, mortgages, savings, and earnings leaked;
- On February 5 this year, a US healthcare provider, St. Joseph Health System, had 405,000 patient names, US Social Security numbers, dates of birth, addresses, and medical details, as well as an unknown amount of bank account information held on their server accessed by hackers;
- US retailer Target has now seen the data of at least 70,000,000 customers affected, including names, phone numbers, email and mailing addresses;
- Even the US Department of Homeland Security had 520 private documents and financial information belonging to at least 114 organisations extracted by an unauthorised party. Interestingly this incident occurred on September 2013, and was only reported in January 2014, some 4 months later.
Data breaches seem to be a fact of life.
Effective, on paper at least
The effectiveness of any legislation is based on considerations such as the deterrence factor, the actual protections afforded under the law and the practicalities of enforcing the law.
In the face of sophisticated and persistent cyber attacks, the protection offered by the legislation is limited, especially if an organisation was not aware of the attack having occurred. If the organisation that suffered a breach had in fact implemented, and was operating with best of breed security measures and technologies, it is unlikely to be prosecuted. A great “Get Out of Jail Free” card.
However, if the organisation “did not take reasonable steps to protect the personal information from unauthorised access” it may be in breach of the legislation. In such instances, the interpretation of what constitutes “reasonable steps” may not be a simple exercise.
Cybercrime is sophisticated, well funded and is big business, and a constant threat.
Data breach reporting legislation also presents a unique challenge for organisations with existing cloud arrangements, in that they are, for the most part, at the mercy of their provider’s willingness or ability to meet these legal requirements. In the face of the such legislation, it is prudent to reassess your cloud provider’s security measures.
Add to this mix the challenges facing those organisations at war with their own IT departments or IT vendors. Legacy systems, poorly architected IT services based on fragmented technologies, inflexible IT supply contracts and not to mention substandard business leadership and technology management practices are hindering many an organisation’s abilities to respond rapidly to meet the new legislative demands.
Moreover, the pervasive phenomenon of “shadow IT” is also a factor, where individuals, local departments or business units within organisations are implementing IT systems without the appropriate due diligence, contribute to the risk of a potential data breach.
Both shadow IT and cybercrime escalate the risks of, and challenges associated with the protection of sensitive data.
Room for improvement
In an era of financial austerity, organisations are keen to cut all unnecessary costs, and the lure of cutting the ongoing investment in information security is a constant trade-off, especially where they have no history of data breaches. It’s akin to an airline gradually reducing the maintenance effort of its fleet of aircraft because it has never had an accident yet. The question is which airline is carrying your personal data, and when it crashes, will you hear the explosion or will it disappear silently and without a trace into the digital Bermuda Triangle?
*This article has been updated to reflect the fact that mandatory data breach legislation has not yet been enacted in Australia as of March 2014, however the legislation was re-introduced to Federal parliament in March.
This article was written by me and appeared in The Conversation , March 2014
Please read the related post Dumpster diving and the Privacy Amendment (Privacy Alerts) Bill 2013