Australians are naive about their data safety. Stronger rules on data breach reporting are ‘well overdue’, according to Deakin Law School lecturer, Theo Alexander, who says Australia is out of sync with other advanced nations.
Through the Office of the Australian Information Commissioner (OAIC), the government is introducing legislation that will raise Australia’s game, Alexander says. The organisation recently advised that if a data breach spells a risk of serious harm the OAIC and the victims should be told loud and clear.
The game-changing bill is expected to come into force soon. It will make the reporting of any breach that happens mandatory, Alexander explains, adding that it will ensure Australia follows the United States, Canada, the United Kingdom and Europe on the privacy protection front.
‘The lack of a mandatory reporting for data breaches regime has been a conspicuous absence in privacy protection in Australia for some time,’ he says.
If passed, the bill called the Privacy Amendment Bill 2014 will amend the Privacy Act 1988, making it compulsory to tell the privacy commissioner and ‘significantly affected individuals’ about any serious data violation.
Meantime, despite obligations nutted out in the old privacy act to keep personal information and collected data safe, organisations are under no obligation to reveal data breaches. Consequently, a data ‘owner’ struck by hackers may only find out belatedly, when the pillaged intel has already been misused. ‘And that may be months or years after the event,’ says Alexander.
Identity theft and personal fraud is an increasingly thorny issue. In the 2010/2011 financial year, personal fraud cost Australians $1.4 billion. What’s more, 1.2 million Australians aged 15 years and above fell prey to at least one incident of identity fraud in that period - a big uptick from over 800 000 victims in 2007.
The public apparently thinks that enough is enough. In 2013, Electronic Frontiers Australia publicised the results of a survey showing that 96 per cent of Australians backed mandatory reporting.
Threats on the agenda range from cryptolocker (ransomware trojans) to targeted spear phishing, and denial-of-service attacks. But understand that data breaches extend beyond wicked actions such as theft and hacking, according to Alexander.
A breach may also arise from incompetence: internal errors or failure to follow information handling policies, he says, adding that violations happen across a range of platforms. Laptops, storage devices, databases, even paper records can all be vulnerable.
What to do
If your data is compromised, lodge a complaint with the OAIC, Alexander suggests, warning that in the past Aussies have been naïve about their data safety.
Until now, organisations hit by hacker attacks have also been cagey, it seems. Alexander cites an April 2013 privacy awareness study conducted by McAfee Australia, which found 68 per cent of organisations neglected to notify data loss victims about violations.
Open and forthright notification is good practice for all kinds of reasons not least because it rebuilds public trust.