20 Feb Data breach notification laws will force businesses to say if they’ve been hacked
On February 22 new data breach notification laws will come into effect, potentially leaving thousands of Australian businesses on the wrong side of the law.
Under the proposed laws, businesses will be required to alert the Australian Information Commissioner and all of its affected clients if they get hacked.
Nigel Phair, the director for internet safety at the University of Canberra, fears too many Australian businesses will be caught out.
“When you look at the organisations I talk to, they all think, ‘Well, we won’t get hacked so why would we put any investment or any effort into being prepared?'” he said.
Mr Phair said the businesses he was most concerned about were the smaller to medium-sized organisations.
“The bigger you get, there is generally a more preparedness to invest in cyber security measures,” he said.
“Unfortunately the smaller you get, they don’t see the value proposition, and subsequently the reason to be prepared.”
The proposed laws would only apply to businesses that have a turnover of more than $3 million.
And Mr Phair said that was worrying.
“Lots of little organisations still have personally identifying information, which if it lost, [had] stolen [or] abused, is a great threat to the average person out there,” he said.
Independent security researcher Troy Hunt said any company, regardless of its size, should have to inform people if its personal information has been exposed to an unauthorised party.
“I believe that personal data is personal data. It belongs to the individual,” he said.
Mr Hunt said the laws also relied too heavily on the “honour system”.
“There’s an expectation that this is only going to apply to organisations where the breach could result in serious harm to the affected individual,” he said.
“Now the challenge here is that whilst there is some criteria set forth about what might constitute harm, it’s still self-assessment.
“We come back to the point where if it’s my data, I would like to know if it’s been disclosed.”
The Government has reassured businesses that once the legislation is in place, the privacy commissioner would be able to conduct investigations into data breaches.
New laws will push IT security up the to-do list
There have already been some high-profile cases.
Car-sharing network GoGet identified unauthorised activity in its system in June 2017.
GoGet declined an interview, but in a statement, chief executive officer Tristan Sender said “it appears that the suspect has accessed personal information of GoGet’s members and individuals who have previously attempted to create a GoGet account”.
Mr Hunt said the new laws would push IT security up businesses’ to-do list.
“Even though it doesn’t go quite as far as we’d like, it’s a positive thing that we actually have something that organisations can now discuss at a board level because it’s enacted in law,” he said.
“If nothing else, the fact that this is in the news and it is something people are talking a lot about at the moment, that will hopefully be enough of a trigger for organisations to go, ‘Yeah, we’ve actually got to think about this more’.”
A data breach ‘would be potentially catastrophic’
Jonathan Batson and Marc Washbourne manage a database loaded with personal information.
Their company Job Ready, on Sydney’s north shore, develops software for recruitment firms and group training organisations.
“We look after a lot of government data, a lot of very personal data — for example job seeker information,” Mr Washbourne said.
It is the sort of information they would not want someone getting their hands on, he said.
“For us, a data breach, or a leak of data, would be potentially catastrophic for our business,” he said.
Mr Washbourne said he was satisfied that their systems were all set for the new data breach laws.
But he said businesses’ attitude towards IT security needed to change overall.
“I think it very much starts from the top, and it has to be something that you actually live and breathe, and not just talk about — that you actually do as well,” he said.
Key points:
New data breach notification laws will come into effect on February 22
Businesses required to alert authorities and affected clients if they get hacked
Will only apply to businesses with a turnover of more than $3 million
~All credit for this article to ABC News