Data breach penalty regime supported by Australian IT professionals according a survey

August 20, 2015 |

Security Asia reports on a Websense survey of Australian IT professionals in Data breach penalties gain overwhelming support from Australian IT: survey.  It is not counter intuitive for IT professionals to support consequences for data breaches.  IT professionals have to deal with the consequence of data breaches and are aware of what is required to avoid that.  Regulation without teeth gives rise to non compliance. A corporations spend will go elsewhere.  In Australia the compliance issues are even more significant because general compliance is not properly enforced.  The enforcement powers have been there for almost 18 months and there has been one enforceable undertaking, when Optus outed itself as being responsible for a data breach.  The terms of the enforceable undertaking are very mild and constitute a lethargic start to the use of the new(ish) enforcement powers available to the Privacy Commissioner.
The article provides:

Australian IT professionals are overwhelmingly supportive of penalties for company data breaches according to a new survey from security firm, Websense.

The survey of 100 Australian security professionals found that 98 per cent of respondents believed that the law should address serious data breaches that expose consumers’ data loss.

Of those, 59 per cent said fines were an appropriate way to enforce the law, while 65 per cent believed mandatory disclosure legislation should be implemented in Australia.

Of those surveyed, 60 per cent said there should be some form of compensation for consumers’ affected by data breaches and 23 per cent advocated arrest and jail sentence for the CEO or board members.

Websense engineering manager A/NZ, Bradley Anstis, said the results reflect the frustration many IT managers experience when attempting to impress the importance of IT security on senior management.

“Security professionals are seeing mandatory disclosure as a way of opening the boardroom door,” he said.

“They feel it will get them a seat at the table because the board will want to discuss this and the impact for the organisation.” Respondents felt companies not taking action against data loss and theft have it as an agenda item, but it’s not yet a high enough priority to the tune of 38 per cent.

Close to half (41 per cent) say the CEO should hold ultimate responsibility should a breach occur.

The shift to the Internet of Things (IoT) has It managers concerned, 72 per cent believe the advent of IoT will make companies even more vulnerable to data theft. It seems that getting that quick answer back when the boss calls still trumps security concerns. Nearly three-quarters (64 per cent) of respondents said employees would connect to unsecure Wi-Fi to respond to an urgent request by the CEO or company executive; with even 42 per cent of security professionals saying they would do so themselves.

As much as data theft disclosures make good fodder for security companies and journalists alike, it appears to be inadvertently helping companies address the issues, with 62 per cent of security professionals reporting publicity has helped other companies create a case for budget, focus and resources.s

However, 24 per cent said headlines have hindered this as they make companies feel powerless to protect against these attacks. Anstis said, “As an industry, we need to be talking about security in language that board members can understand. That means talking about a company’s risks and the costs of mitigating those.

“These discussions must take place in a way that they can be as effective as possible without laying blame.”

Unlike most states in the United States of America there are no mandatory data breach notification laws in Australia.  There is a Privacy Amendment (Privacy Alerts) Bill 2014 languishing in the Senate.  Introduced by the opposition in March 2014 it is a mirror image of the Privacy Amendment (Privacy Alerts) Bill 2013.  The current bill is opposed by the Government even if it, when opposition, supported the 2013 version.  The reason, politics.  Both sides of the aisle having acted with appalling cynicism. The net result an abject failure of public policy.

One Response to “Data breach penalty regime supported by Australian IT professionals according a survey”

  1. Data breach penalty regime supported by Australian IT professionals according a survey | Australian Law Blogs

    […] Data breach penalty regime supported by Australian IT professionals according a survey […]

Leave a Reply