The hacking disclosure debate

Patrick Gray looks into the impact of the Australian Democrats' proposed amendments to the Privacy Act to force disclosure of customer data hacking incidents.

Patrick Gray (PG): Andrew Walls used to work Cybertrust before it was acquired by Verizon Business Security Solutions. He left before that acquisition to take up a post with analysis firm Gartner.

We're interviewing Andrew to ask about amendments that have been proposed to the Privacy Act that would force companies that have lost customer data to disclose the breach. There are some similar laws in the United States already but as Andrew explains, Australia's approach seems a tad sharper.

Andrew Walls (AW): There are some distinctions that should be drawn between the US style legislation that various US states have enacted at a state level. There is no federal legislation like this in the US.

What has been proposed here in Australia, in the US most of the bill that have been passed at a state level really focus on specific kinds of data so that they are looking at financial transaction data: credit cards or banking transactions. Some of them are focused specifically on medical data, genetic data and genetic privacy as it were.

In Australia what's been proposed here is actually an amendment to the existing Privacy Act. Where just as any information that is considered private under the scope of the existing Privacy Act, if that is disclosed in an inappropriate fashion then the people affected have got to be made aware that their information has been leaked to an inappropriate source and so forth. So it is a slightly different take on the whole breach disclosure concept than what we see played out in the US.

I actually think this is a healthier approach than just picking up a specific little section of information like financial transactions and saying we have to breach disclosure around that. By piggy backing on top of the Privacy Act, we are able to take advantage of an existing body of legislation and also existing business practice because all the businesses that are within the scope of the Privacy Act have got to have already put in basic structures for managing private data.

PG: We will go back to the Privacy Act in a moment, but you say it is a proposed amendment to an existing act. Who is actually proposing that it be amended?

AW: This has come from Natasha Stott Despoja from the Australian Democrats. Obviously I am no political analyst but I am well aware of the issues of getting legislation passed when you are a minority player in the overall political scheme. So it will be obviously challenging for this particular amendment to get up and get passed.

PG: And yet you say it is inevitable?

AW: I say that disclosure laws are inevitable; I am not saying that this particular one is inevitable. There is a fundamental, if you will, cognitive business going on out there in that on one hand the Australian government as well as the US, the UK and most of the western governments, are encouraging their citizens to be alert but not alarmed and to be conscious to potential terrorist activity and security problems.

PG: And also encouraging the use of fridge magnets here.

AW: Exactly.

PG: It is helpful. We had duck and cover during the cold war and now we have fridge magnets and the telephone number for our local utilities! It is all you need to prevent yourself against a crazed Jihadi!

AW: Yeah. All you have to do is get underneath your school desk and that will protect you from nuclear fall outs! So we have that going on which tells us that there are serious security problems out there and we need to be personally involved in assuring the security of our home land or our bank accounts or whatever it is.

But then on the other hand we have nothing in place within the commercial sphere which would force organisations that are holding our private information and to things that we need to have kept secure, we have nothing there that mandates that they tell us when they have failed in their responsibility. So we are told to be aware but then the very thing that would help us be aware is kept quiet.

PG: Andrew, many in Australia who've been working in information security for awhile would remember that in 2001 there was an amendment made to the Federal Privacy Act which brought the commercial sector under the act for organisations turning over more than three million dollars a year.

That ushered in the concept of national privacy principals and at the time I imagine analysts working in similar roles to yours now hail this as a great leap forward for security. Finally there was something written in very clear text saying that it is now federal law that you must keep the private and personal data of you customers secure.

We were expecting this big investment in security and that people would take this legislation very seriously but in the end they didn't did they? Because the office of the Federal Privacy Commissioner is quite toothless in its ability to enforce adherence to those national privacy principals. Which were also introduced as an amendment to the Privacy Act in 2001.

AW: There are really two issues there. One is the question of was there an investment that was generated as a result of the privacy principals being issued.

Two: is there a real enforcement capability on the part of the commissioner.

Taking the first one, there was actually fairly major investments made particularly in the financial services field in Australia as a result of those privacy principals being issued. Most major organisations that came within the scope really had to rally the troops and make a lot of investments in terms of changed business processes, actually instituting new processes within their organisations, creating new positions of privacy officers within departments and so forth. Actually businesses that were within the scope of the amendment, really had to get their act together and make things happen in a major way.

PG: But nothing really happened to those that didn't get their act together did it?

AW: No, and that is the next question which is enforcement.

This is one area where we really need to improve our game to say the very least. At this point we are not seeing much enforcement of many of the security regulations and standards in Australia. So for example of you look at an industrial regulation which is the payment card industry data security standard (PCIDSS), we are seeing next to no actual enforcement of PCI within the Asia Pacific region, particularly in Australia.

We have seen enforcement activities taking place in the United States and a little bit in South America but very limited actual enforcement activity going on anywhere else. Obviously enforcement is critical if we are going to get credibility in terms of the commercial sphere. No one is going to make huge investments to improve things if they think there is no real teeth to the legislation.

PG: The thing with PCIDSS is if Visa and Master Card, the two biggest credit card companies out there who really drive PCIDSS, if they decide to get serious we will see change.

Already at the higher end of the market with the larger credit card processes they are starting to get in there and kick some arses and get them doing stuff. But what I am getting at with this amendment to the Privacy Act is that can we really expect to see any change when it doesn't look like the enforcement side of things is going to be beefed up at all?

AW: I think we will see change even if we don't beef up the enforcement. Under the current Privacy Act if a breach occurs the penalties are actually not there. There is no issue around that. There has been a failure of security as long as you can say I've exercised due care and I've made reasonable steps, you can't be expected to have a hundred percent bullet proof security systems.

PG: This shifts the argument around to say well, it doesn't matter what measures you had in place, if there has been a breach there has been a breach and you have to notify people.

AW: Exactly. Even if you don't notify, so let's say you ignored the breach disclosure law if it ever gets passed and you say well I am not going to bother to notify because I think that will hurt me in the market. Ultimately these things do get uncovered.

An excellent case that comes close to home was the big card systems failure back in the States which was first picked by the National Australia Bank here locally. They noticed the issues, fed the information up the line back through the credit agencies and the analysis happened and they were able to pin point that all those transactions had been processed in one place. So that information does come to light and it bubbles up. So companies that refuse to disclose even though a law may require them to, will eventually get caught by that.

PG: If that information bubbles to the top then why do we need legislation to mandate the disclosure of these data loss incidents?

AW: Because the bubbling up process is hardly comprehensive or even handed. It's more a matter of which person gets a hold of the data and decides to get noisy and call a few journalists or start blogging about it and getting the word out.

PG: Or podcasting it!

AW: We need to have a consistent approach to this if we are going to sue this as a way of improving security across industry. If it's just a random festival of breaches getting popped out there, then it becomes more of a matter of who's got it out for whom. Let's monitor their stuff and tell everyone in the world that they've had a breach and force them to disclose.

That's not what we're after. What we'd like to do is see businesses acting responsibly, informing their customers of when there are security issues that will have an impact on those customers. So then the customers can make reasonable risk assessment son their own and invest their money appropriately.

Let's look a financial services: if you want to chose who you want to put your account with and you look across ten different banks and you want to go with the safest and most secure one. How can you make your choice? All you know is who happened to get headlines recently because of a security or a hardware problem that got noticed. That is not a good way to make a decision.

PG: When do you think these laws come into affect realistically?

AW: Given that we are facing a Federal election I am not anticipating much of anything happening this year. I think it would be realistic to say that we will see more debate on this kind of stuff next year and I would hope to have legislation in place by 2009.

But realistically it is going to take awhile and there will be a lot of opposition from industry because this is again another regulation that has reporting requirements or requires investment on the part of the company to do the disclosure.

PG: There will be reporting requirements above reporting when there has been a breach?

AW: No, I am saying that by having the disclosure requirement in the law, that they knew disclosure and reporting requirement. There will have to be bureaucracy wrapped around that. Do you just splash the notification in a two centimeter wide advertisement in the back of the AFR? Or

Read more on IT risk management