Google+

Friday, 26 October 2012

Compulsory data-breach notification will do nothing to protect Australians

Attorney General Nicola Roxons' proposed compulsory data breach notification does not address the real issues facing Australian consumers and business. There is no evidence that compulsory notification will protect Australians and frankly any notification of a breach is usually too late anyway. If there is going to be compulsory notification there also needs to tough legislation to deal with the persons who steal the data.

An insider stealing data causes the company to breach privacy and potentially subjects the company to huge fines under the proposed Compulsory Notification Bill. What happens to the the thief? At the moment nothing if the thief is an employee of the company!

ADMA CEO Jodie Sangster's recent revelation: “A drop of 18 % for a total of 46 notifications in the year could equally suggest that companies have responded well to his office’s advice on preventing data breaches” is ignorant of the facts.

Many data-breaches are never reported by business owners.

Under the privacy commissioner's current guidelines persons affected by a data breach should be notified immediately. More often the person receiving the notice contacts the company to question their level of security and to find out what of their information has been compromised.

Recently a Sydney CBD medical practice, under the guidelines of the privacy commissioner, notified patients their data may have been compromised. The notification prompted thousands of abusive calls from patients questioning the centres security with many saying they would never return. In this case patient data was compromised by a long term employee who had conspired with three others to 'misuse authorised access' to steal the patient database.

Business owners who know of or have heard of similar experiences will avoid notifying their customers of data-breaches. The 18% drop in total notifications is not a reflection on ADMA's advice, it is the fear of the detrimental short and long term effects on a business a data-breach report may have.

A recent Kroll Global Fraud Report indicated that over two thirds of corporate frauds are committed by insiders. Even the Attorney-General herself said, at a recent Security Conference in Canberra, "One of the greatest risks to the security of government computer systems is from exploited or corrupted public servants".

Insider theft of personally identifying information (PII) is at epidemic levels in Australia and will remain so until legislation is passed that will allow Police to charge employees who steal data. PII is very often a business's most valuable asset and for many is valued in the millions of dollars. If an employee embezzled the same value in cash they would be charged by Police and likely receive a custodial sentence.

If the Attorney General is at all serious about reducing the incidence of data breaches then she needs to propose adequate legislation to protect business and Australian consumers from insider fraud, the most common of all data breaches.

Submitting a band aid Bill that will have little if any effect on preventing data-breaches is ill conceived and falls well short of providing the protections required to meet increasing levels of insider data-breaches.