A new Australian law appears to be succeeding in finally unveiling the current state of data breaches in the Land Down Under. According to a release by the country’s information commissioner’s office (the OAIC), thirty-one data breaches were reported to the government since the law took effect on February 22, 2018.
Notifiable Data Breach
Australia’s Notifiable Data Breach (NDB) scheme, which makes mandatory the reporting of data breaches to the government, was a long time coming. While Australia already had data breach laws before the NDB, going public with a breach was a voluntary act. Obviously, that was never going to work. And the numbers prove it: in 2010, only 56 data breaches were reported. That roughly doubled by 2014, when 104 data breaches were reported.
Obviously, these are comically tiny numbers when you consider that 20 million people live in Australia, and that more than 2 million companies were registered with the government in 2014 – 2015. The numbers would suggest that either (a) Australia’s businesses are unusually top-notch when it comes to data security or (b) data theft and loss incidents were seriously underreported.
Even today, with the latest revelation, a person tracking such incidents may feel that the numbers are a little low, possibly due to the public not being aware of their responsibilities under the new law, or because the OAIC has yet to show that it’s willing to extend serious repercussions to non-abiders of the NDB.
The USA, with its disparate set of laws and regulations regarding data breach notifications, has shown the effects of voluntary vs. mandatory, enforced vs. unenforced notifications. Such laws began to surface with California 15 years ago, and other states have passed their own versions, unwittingly leading to an experiment on what is effective. The conclusion: even when the law mandates going public with a data breach, many companies will not do so if repercussions for not doing it fail to really materialize.
In addition, HIPAA / HITECH regulations covering the US medical sector showed that the fastest and surest way of ensuring that companies take notice of privacy and data security laws is to penalize companies, in monetary form, and publicize it.
Turnover of $3 Million, A Couple of Conditions
According to businessinsider.com, the new law applies to companies that have an annual turnover (aka, total sales or total revenue) of $3 million or more, with certain exceptions like APP entities that trade in personal information. In addition, the data breach to be reported must be:
- Unauthorised access to or disclosure of personal information that could be used to harm an individual; and
- Risk of unauthorised access or disclosure, in which case the information has been lost and is in danger of being used to harm an individual
The same article quotes an expert who says that the new law may not really affect the behavior of businesses, seeing how:
the Australian laws are still “less stringent and the penalties less severe than similar regimes in other jurisdictions”.
Considering how the law is worded, it’s hard not to agree. For example, what does it mean that the data breach could “harm an individual”? There’s too much room for interpretation there, even if the OAIC notes that “objective assessment… from the viewpoint of a reasonable person” should be used in making the determination.
Thankfully, at least it’s pointed out that the use of strong encryption provides safe harbor from the NDB, as encrypted data is safe from unauthorized access. Indeed, multiple examples are provided where the NDB exception is directly tied to encryption, underscoring the importance of encryption in safekeeping personal and private data.
Related Articles and Sites: