New data breach laws came into effect in Australia last week, making it mandatory for companies to report significant breaches.
Under the Privacy Amendment (Notifiable Data Breaches) Act 2017, eligible businesses must notify the Australian Government via the Office of the Australian Information Commissioner (OAIC) if a data breach has occurred which is likely to result in “serious harm” to those whose information has been breached.
The Act came into effect last Thursday, 22 February 2018. Failure to report eligible data breaches can result in fines of up to $1.7 million for companies.
The new scheme applies to all businesses, Government agencies, and not-for-profits with an annual turnover of more than $3 million, as well as health service providers, credit reporting bodies, and any entity which receives and handles tax file numbers.
However, a survey conducted just days before the new laws came into effect found that 59% of businesses were unaware of the incoming legislation and what it means.
According to the Canon Business Readiness Index 2018 Information Security Edition, research conducted by research firm GFK found three in five businesses are clueless about their obligations under the new Notifiable Data Breaches scheme.
Security expert and ACS Vice President Craig Horne said that while it may take a long time to identify a breach has occurred, almost all organisations eventually make the discovery.
“This can be either immediately and directly because data is encrypted from a ransomware attack, or long-term and indirectly because revenue declines from industrial espionage involving loss of trade,” he said, adding that the Act does not apply to every data breach, but only those that involve loss of personal information.
Adding to the complexity is that ‘information loss’ is intangible, unlike financial or physical assets.
“For example, if a thief steal someone’s wallet, two things are true. One is that the owner doesn’t have it any more. The second is that the thief can give it back,” said Horne.
“These two conditions are not true for information theft. If information is copied when stolen, the owner still has it and thus the thief has not permanently deprived the owner of it. It fails the common test of law for theft.
“An information-based asset such as a trade secret, however, is no less valuable than a physical asset, such as a property, as both can be used to derive revenue.
“I’m not certain that Australian law copes with information theft all that well but we have an opportunity to become a global leader if we can change and get it right.”
To mitigate this, Horne said the reference to ‘unauthorised access’ in the Act is welcomed because if someone can access information, then they can copy and hence steal it.
“Use of the word ‘unauthorised’ is welcomed because it places the burden of proof back on the person accessing the information to prove that they were authorised to do so.”
Further, the Business Readiness Index found, “only 40% of Australian businesses had implemented six or more of the Australian Signals Directorate essential eight (ASD8) strategies to mitigate cyber security incidents.”
When it came to small business, this figure dropped to 12%.
“Small businesses are falling behind in terms of protecting their information security. This not only means their own information security is highly compromised, but they could be putting their suppliers’ and customers’ businesses at risk,” the report stated. “This creates a significant hole in Australia’s cyber security strategy as we are only as strong as our weakest link.”
The Business Readiness Index surveyed more than 400 business decision makers across Australia.
The Australian Signals Directorate Essential 8. Source: Canon Business Readiness Index 2018 Information Security Editioncyber