What will mandatory breach notifications really do for Australia?

The impending introduction of mandatory data breach notification laws means 2016 could be the year Australia finally catches up with the global information security race.

The exposure draft for the proposed legislation is now out, alongside a discussion paper and a detailed explanation of what constitutes a serious data breach.

“The bill is intended to improve the privacy of Australians without placing an unreasonable regulatory burden on business,” the Attorney-General’s Department suggests on its website.

So what does this mandatory data breach notification really mean for Australian businesses and has this kind of legislation worked elsewhere?

To understand the reasons behind this bill, it’s worth looking at the primary objectives that mandatory disclosure is intending to meet.

Foremost, disclosure is cited as helping protect consumers, who are the innocent victims most affected by information theft.

Once personally identifiable information (PII) has been exfiltrated, it’s quickly put to use on the black market, leading to fraud, ID theft and subsequently lateral attacks on other systems that can have the consumer scrambling to stay ahead of the cleanup for months or even years.

Mandatory disclosure forces businesses to inform victims as soon as the breach is discovered to give them the best possible chance of putting measures in place to reduce the impact on their lives.

Secondly, no business in its right mind wants the negative headlines that almost always accompany such a breach.

This kind of negative media coverage highlights to customers the company doesn’t take information security seriously and, as a result, can damage future customer loyalty and seriously affect the bottom line.

So businesses will naturally, in a legal system that imposes mandatory breach notification, pay more attention to information security to ensure they are not faced with a disclosure mandate.

What's happening overseas

At state level in the US, mandatory disclosure has been in place since as early as 2002. It started in California and quickly spread to most other states over the following few years.

However, there is still no consolidated national legislation, meaning breaches that involve companies trading across state boundaries are reported differently.

This causes confusion for both companies and consumers as it’s difficult to coordinate responses that remain within the law and meets everyone’s requirements. President Obama proffered the Personal Data Notification & Protection Act [pdf] in his 2015 state of the union address, which establishes a 30-day notification requirement from discovery to disclosure.

Back in 2009, the European Union (EU) implemented mandatory data breach notification as part of the “ePrivacy Directive”, which applies to all EU member states. Huge fines can be issued for companies not compliant with the regulations, which could be as high as 5 percent of annual worldwide turnover.

Many EU member states have their own legislative systems that work in concert with the EU directive to allow them to meet the obligations within the context of their own legal system.

For example, in the United Kingdom, the Information Commissioner’s Office has the power to purvey large fines against non-compliant entities under the Data Protection Act, fines as high as £500,000 (A$1 million).

Will it work?

There is no doubt that some good will come of this bill. Mandatory disclosure laws definitely force the unearthing of information security problems and weaknesses within companies managing PII.

This in turn forces executives to refocus some of their budget into addressing information security problems, something that previously they might not have had an incentive to do.

Historically, mandatory breach notification laws have demonstrated the role they play in convincing executive boards to invest in cyber defences.

Furthermore, once an organisation embarks on this transformation to a more secure enterprise, the security awareness it brings to employees helps build a more robust culture of security, meaning all employees think more about their day-to-day activities and where vulnerabilities in their own systems may lie.

Mandatory breach notifications will certainly help the Australian economy recover from the escalating issues of ID theft and serious fraud.

However, as the current definitions of serious harm are somewhat vague and ambiguous, there is a possibility that notification requirements in the bill could lead to over-reporting.

This could flood the Office of the Australian Information Commissioner with too many cases to investigate, leading to long lead times, putting companies in limbo and with the potential for massive fines hanging over them for protracted periods.

The balance needs to be just right. More clarity in what constitutes serious harm will mean the implementation of this bill should be nothing but successful.

I urge you all to read the exposure draft and discussion paper and give your feedback to government.

Make 2016 the year Australia gets ahead in the global infosec race.