Time for data-breach disclosure laws

The dust must be shaken off Australia's proposed mandatory data breach disclosure legislation.

Anna Cervova, public domain

It is essential if the industry is to curb fraud attacks on businesses and consumers.

The Federal Government accepted 197 of the 295 recommendations from  the Australian Law Reform Commission report in 2008 to amend privacy laws.

These seek to force companies to disclose when they are breached and give teeth to regulators to enforce financial penalties.

Problems with privacy laws were flagged in 2004 by the then Howard government and now the Government says it is still in consultations.

And yet Canberra still issues press releases on the need for businesses and individuals to be viligant of online threats.

"Fraud committed through the cyber world is increasing as more and more people make use of the internet because of the ease it offers in our everyday lives," reads one from the Attorney Gerneral's office.

And as we brace for another cyber crime awareness week, I wonder how serious the Federal Government is about getting our disclosure laws off the ground?

Breached businesses, their insurance companies and banks seem all too happy to write off the cost of data breaches.

Many view losses in terms of dollars, not privacy. The standard response to breaches is to take the path that least damages the bottom line, which usually means plugging vulnerabilities and keeping quiet.

Penetration testers and IT forensics professionals perhaps have the greatest insight into how bad the situation is.

At last week's AusCERT security conference, a security professional told me that a big Australian business, which which many of us deal, lost 100,000 customer records in a breach.

The organisation recruited him to track how it occurred but his final report was binned.

That happened this year.

The organisation's executives thought it was cheaper to patch holes rather than overhaul its vulerable system architecture. After all, everyone who knew of the gaffe signed non-disclosure agreements.

Although breaches like this avoid bad headlines, it will be difficult for the industry to convince bean-counters to invest in information security.

As the pen tester told me, some businesses would rather buy a top-end coffee machine than invest in IT security systems.

Yet data disclosure laws are messy. For instance, they could cripple mum-and-dad businesses, which are preferred targets of fraud because they often lack the security resources to detect breaches.

And there is a strong argument that they are as much the victim as their customers whose details are stolen.

But much of the groundwork is done or at least underway. The US is mulling national laws and a tiered system where breaches may only need to be disclosed when shareholders would need to know.

And the EU has pitched directive 2002/58/EC that seeks to apply disclosure laws to electronic communications. It could be in place within four years.

So, Canberra, when you send out next week's cybercrime press releases explaining how Australia has lost yet more billions of dollars to fraud, remember that our strongest defence, data-disclosure laws, are groaning under the weight of dust.

Copyright © SC Magazine, Australia