Nmedia - Fotolia
A global survey of in-house lawyers has revealed that more than one-third of Australia’s corporate counsel have experienced a recent data breach – but until breach notification becomes mandatory, the details of those breaches are being hushed up.
In a 12-month period in 2014/15, just 110 data breach notifications were made voluntarily to the Office of the Australian Information Commissioner (OAIC).
The lawyers’ survey, conducted by the Association of Corporate Counsel (ACC) foundation, reveals that larger companies were the major targets, and employee error or internal attacks were the most frequent cause of breaches.
Tanya Khan, managing director of ACC in Australia, said no sector or region was immune, and that lawyers expect the risks to increase next year. Disturbingly, the survey found that only 8% of local lawyers reported an increase in security spending – compared with 23% of their international peers.
And while 47% of global organisations have cyber security insurance, that figure plunges to 25% in Australia.
The country’s apparently lackadaisical approach to data breaches cannot last, however, as the Australian government has finally signalled that it will introduce mandatory data breach notification in 2016.
Although the Australian Law Reform Commission pushed for mandatory notification as far back as 2008, at present the only breaches that must be disclosed are those involving health-related data.
However, the government committed to introduce legislation requiring mandatory breach notification in a quid pro quo for getting its metadata retention scheme passed in October.
A voluntary data breach notification process is already in place, through which enterprises can alert the OAIC. But there is, as yet, no requirement for enterprises to inform individuals that their private information may have been compromised through a breach.
In its most recent annual report, the OAIC said it had received 117 data breach notifications during the 2014/15 year, including 110 voluntary data breach notifications. However, the ACC’s new in-house lawyer study suggests that thousands of enterprises suffered such breaches during the year – although it is unclear what proportion of those would have been classed as “serious”.
Read more about cyber security in Australia
- The relaxed attitude to IT security in Australia is holding back much-needed investment in security technology.
- Australian bank and university work together to train the next generation of cyber security experts.
- The costs of cyber security breaches can quickly add up with fines, reputational damage and overhauls to network security all hitting the coffers.
The Federal Attorney General’s department has now released for comment its serious data breach notification bill, which sets the foundation for legislation to be introduced to parliament in 2016. The public consultation phase runs until March.
Besides defining what is considered a “serious” data breach, the legislation also proposes giving enterprises 30 days to comply with the notification rules.
The Attorney General’s department says it is walking a fine line in trying “to improve the privacy of Australians without placing an unreasonable regulatory burden on business”.
The acting Australian Information Commissioner, Timothy Pilgrim, welcomed the draft bill. “Data breach notification can be an important mitigation strategy in the event of a serious data breach,” he said. “Notification enables people affected by a breach to take steps to protect their personal information, such as cancelling credit cards or updating logins with service providers.
“A mandatory notification scheme will provide confidence to all Australians that, in the event of a serious data breach, they will be given the opportunity to manage their personal information accordingly.”
The OAIC itself is on its last legs following a May 2014 announcement that the government plans to disband it and put in place new arrangements for the administration of freedom of information and privacy matters. Until that new structure is finalised, however, the OAIC has continued to oversee privacy and FOI reviews.