Data privacy leakage/breaches and privacy regulators response

March 11, 2014 |

The Conversation is turning into quite an effective commentator on privacy law issues.  In When data privacy goes missing, will the regulators hear it cry? on 7 March the issue is privacy and data breaches and, more importantly, what regulatory response is out there.  As the author notes data breaches seem to becoming more common, almost ubiquitous and notification is made by external parties 70% of the time.  In Australia there is no mandatory data breach notification laws.  It is being a little too Polyannish to assume voluntary notification will take hold of the nations organisations and agencies. That is a serious flaw in privacy regulation.

The article also falls into the sceptical camp when it highlights the wording of the APP guidelines as giving an indication that organisations which operate with “best of breed security measures and technologies is “unlikely to be prosecuted.”  Whether this is the described get out of jail card is yet to be seen.  The author is not alone in this assessment.  There have been a few prominent reports to that effect which prompted the Privacy Commissioner to respond on 6 March 2014 with an alacrity which took a few practicing in this field by surprise with a statement Cyber attacks do not mean businesses are ‘off the hook’.

The reality is that the draft regulatory action policy and the APP Guides while helpful are written in sufficiently general terms as to give limited predictive powers as to how the Act is to be regulated and its provisions enforced. The most recent investigation, concurrently conducted with ACMA, Telstra Corporation Limited: Own motion investigation report took quite a while to reach fruition.  It is fair to treat 12 March as a new beginning in privacy regulation.  How the Privacy Commissioner approaches his new responsibilities with his new and impressive arsenal of enforcement powers is being closely watched.

The article provides:

What does privacy mean in an age of ongoing privacy breaches? With new privacy law coming online in Australia on March 12, our Privacy in Practice series explores the practical challenges facing Australian business and consumers in a world rethinking privacy.

Reporting a data breach that carries a “real risk of serious harm” could soon be mandatory should Australian data breach reporting legislation be implemented.*

The proposed law puts organisations on notice that any data privacy breaches are to be taken very seriously – with stiff penalties for non compliance.

Having a warning triggered on the misuse of personal data is a key control in helping to assure your privacy in cyberspace. Raising the alert immediately, while not preventing the event itself, may mitigate its propagation.

All well and good, in theory at least. How practically this can be achieved in our highly connected and rapidly changing digital world is altogether another matter.

The power of stealth

Managing data breaches is no trivial task. According to a 2013 report, data breaches are often not discovered for months — or even years. This presents a real challenge for organisations where the breach may have occurred and the perpetrator has long since moved on.

Of greater relevance to mandatory data breach reporting is that the majority, close to 70%, of breaches were reported not by the organisations themselves, but by an external party.

The stellar cast of data breaches is impressive and seemingly never ending:

  • On February 14 this year, media group Forbes had more than a million names, email addresses, usernames, and passwords stolen by the Syrian Electronic Army;
  • On February 8 this year, Barclays Bank had 27,000 customer files containing names, addresses, passport numbers, and national insurance numbers, as well as information regarding health issues, insurance policies, mortgages, savings, and earnings leaked;
  • On February 5 this year, a US healthcare provider, St. Joseph Health System, had 405,000 patient names, US Social Security numbers, dates of birth, addresses, and medical details, as well as an unknown amount of bank account information held on their server accessed by hackers;
  • US retailer Target has now seen the data of at least 70,000,000 customers affected, including names, phone numbers, email and mailing addresses;
  • Even the US Department of Homeland Security had 520 private documents and financial information belonging to at least 114 organisations extracted by an unauthorised party. Interestingly this incident occurred on September 2013, and was only reported in January 2014, some 4 months later.

Data breaches seem to be a fact of life.

Effective, on paper at least

The effectiveness of any legislation is based on considerations such as the deterrence factor, the actual protections afforded under the law and the practicalities of enforcing the law.

In the face of sophisticated and persistent cyber attacks, the protection offered by the legislation is limited, especially if an organisation was not aware of the attack having occurred. If the organisation that suffered a breach had in fact implemented, and was operating with best of breed security measures and technologies, it is unlikely to be prosecuted. A great “Get Out of Jail Free” card.

However, if the organisation “did not take reasonable steps to protect the personal information from unauthorised access” it may be in breach of the legislation. In such instances, the interpretation of what constitutes “reasonable steps” may not be a simple exercise.

Cybercrime is sophisticated, well funded and is big business, and a constant threat.

The new legislation also presents a unique challenge for organisations with existing cloud arrangements, in that they are, for the most part, at the mercy of their provider’s willingness or ability to meet these new legal requirements. In the face of the new legislation, it is prudent to reassess your cloud provider’s security measures.

Add to this mix the challenges facing those organisations at war with their own IT departments or IT vendors. Legacy systems, poorly architected IT services based on fragmented technologies, inflexible IT supply contracts and not to mention substandard business leadership and technology management practices are hindering many an organisation’s abilities to respond rapidly to meet the new legislative demands.

Moreover, the pervasive phenomenon of “shadow IT” is also a factor, where individuals, local departments or business units within organisations are implementing IT systems without the appropriate due diligence, contribute to the risk of a potential data breach.

Both shadow IT and cybercrime escalate the risks of, and challenges associated with the protection of sensitive data.

Room for improvement

In an era of financial austerity, organisations are keen to cut all unnecessary costs, and the lure of cutting the ongoing investment in information security is a constant trade-off, especially where they have no history of data breaches. It’s akin to an airline gradually reducing the maintenance effort of its fleet of aircraft because it has never had an accident yet. The question is which airline is carrying your personal data, and when it crashes, will you hear the explosion or will it disappear silently and without a trace into the digital Bermuda Triangle?

*This article has been updated to reflect the fact that mandatory data breach legislation has not yet been enacted in Australia.

Leave a Reply