Australia is the latest country to try and implement breach notification laws. Some, however, are wondering if they go far enough.
Late December and January saw a string of major data breaches and leaks. Our coverage started with the 123 million records compromised with the Alteryx data leak. Later on, Ancestry.com suffered a leak of their own with 300,000 records exposed.
If you thought that those two breaches in December were bad, January would prove to be worse. January started off with a staggering bang when 1 billion records were exposed in the Aadhaar data breach. How can that many records be exposed? Well, when you have a breach that affects the entire population of India, you’re going to get massive numbers like that.
The rest of January was like watching a train wreck on this front – you want to look away, but you just can’t help but watch. Later on that month, we saw 20,000 records exposed in the SinVR data leak. This followed the Norway breach where 2.9 million medical records (affects about half the countries population) were exposed to hackers. Bell Canada suffered their own breach shortly after with 100,000 customers exposed. The very next day, American chain restaurant Jason’s Deli had 2 million records exposed in another data breach. The month ended when three Android games produced by Sega were potentially leaking data of their customers to uncertified servers. Collectively, the games were downloaded up to 600 million times.
You could be forgiven if you think that identity thieves are having a free-for-all these days, but it is not as though governments are idly standing by and letting this happen. Australia’s data breach notification laws are going to come into effect this month (February 22). According to ABC, the laws is supposed to compel companies to inform their customers if their information has been compromised. From the report:
Under the proposed laws, businesses will be required to alert the Australian Information Commissioner and all of its affected clients if they get hacked.
Car-sharing network GoGet identified unauthorised activity in its system in June 2017.
GoGet declined an interview, but in a statement, chief executive officer Tristan Sender said “it appears that the suspect has accessed personal information of GoGet’s members and individuals who have previously attempted to create a GoGet account”.
Mr Hunt said the new laws would push IT security up businesses’ to-do list.
“Even though it doesn’t go quite as far as we’d like, it’s a positive thing that we actually have something that organisations can now discuss at a board level because it’s enacted in law,” he said.
“If nothing else, the fact that this is in the news and it is something people are talking a lot about at the moment, that will hopefully be enough of a trigger for organisations to go, ‘Yeah, we’ve actually got to think about this more’.”
While it seems like a great first step in addressing security concerns, some are wondering if these laws are going far enough. In an opinion piece, Tony Vizza warned that breach notification laws won’t automatically mean that your information is going to be more secure:
With the Privacy Amendment (Notifiable Data Breaches) Act 2017 coming into force from the 22nd of February, 2018, the information security industry, the insurance industry and the legal industries are out in full force, spruiking their wares and seeking to maximise revenues. Helped by data breaches and major vulnerabilities discovered on an almost daily basis that are highly publicised in the mainstream media, as well as the European Union’s GDPR regime that will come into effect in mid-2018, it’s a fantastic time to be commercially involved in information security.
Given the awareness of information security risk and the saturation coverage of both cyber-crime and the impending NDB regime, logic would suggest that the existence of NDB should concern organisations enough to adopt strong information security practices to mitigate risk, deflect reputational damage and avoid costly legal battles and punitive penalties. So how do mandatory breach notification laws already in place around the world affect the frequency, severity and size of data breaches?
If we consider the US example, where mandatory breach notification laws have existed in California since 2002 (California Senate Bill 1386) and are now found in 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands, the number of data breaches reported is increasing at an almost exponential rate.
Judging by the data available, it would appear that NDB is having a limited effect in the US. Why would this be the case? There are a number of factors at play, including the trends in interconnectedness, the ubiquitination of cloud compute services, the breakdown of the traditional network perimeter and of course the increasing sophistication of cyber-attacks. But it would also appear that the threat of reputational damage, regulatory actions and the costs from a technical, business and legal perspective associated with cleaning up a data breach are simply not enough for many organisations to address their cyber risk.
So, if overseas experience offers an indication as to the possible success of the Mandatory Breach regime in Australia, it appears to foreshadow a significant increase in data breaches in the coming years, rather than a reduction.
Vizza says that the breach laws are, nevertheless, a positive step, but points out that it is not a silver bullet to cure IT security woes.
Indeed, saying that people whose sensitive personal information is compromised should not be notified is an extremely difficult argument to make. It’s also a very hard to argue that telling customers that their information is being compromised will magically solve all security problems.
So, by most accounts (us included), the breach notification laws appear to be, at the very least, a positive step in the right direction even if it is a small one.