Australia’s breach notification legislation is forcing organizations to think more seriously about security

A year since its introduction, Australia’s breach notification law is being accepted as part of general business practices, but security pros have urged for lawmakers to tighten up the policy’s wording in order for the legislation to have maximum impact.

Australia’s Notifiable Data Breach (NDB) scheme came into effect on February 22, 2018, with regulations less stringent than rules under GDPR, which applies to firms handling the data of European consumers.

In Australia, unlike Europe, small firms are exempt unless they handle government contracts, credit reference, or health-related data. Australian data breach rules set a A$3 million ($2.1 million) annual turnover requirement for reporting.

There’s a one-month reporting timeframe for confirmed breaches, instead of the three days that apply under GDPR. And breaches down under are only notifiable if they are likely to cause “serious harm”.

Patrick Fair, a partner at Sydney-based law firm Baker & McKenzie, told The Daily Swig that although doubts remain about the application of the term “serious harm”, the breach regulation has still had its intended effect of making organizations think more seriously about their security policy.

“We’re getting projects looking at work practices,” he explained. “Companies are much more focused on compliance and in doing things like employee training.”

“Everybody has sharpened up,” Fair said, adding that Australian companies have generally adopted a practice of immediate notification once they have confirmed a breach, rather than waiting for the 30 days period of grace that the regulations allow.

Some security regulations such as the PCI DSS rules for handling payment card data have been criticized by infosec pros as box-ticking exercises only done to clear a compliance hurdle.

Australia’s breach notification rules have been received more positively by the local business community. “Breaches are seen as putting companies at risk,” Fair explained.

Run rate

The latest stats from the Office of the Australian Information Commissioner (OAIC), which cover the last three months of 2018, reveal that 262 data breaches involving personal information were notified between October and December 2018.

Under the Notifiable Data Breaches scheme, organizations and agencies regulated under the Privacy Act are obliged to notify individuals and the OAIC when data breaches are “likely to result in serious harm”.

The leading cause of notifiable data breaches in Q4 2018 was malicious or criminal attack (168 notifications), followed by human error (85 notifications), and system error (nine notifications).

This is consistent with earlier run rates of around 90 breach notifications per month, with two-thirds stemming from malicious action and the remainder from human error. Phishing and brute-force attacks made up a majority of the criminal attacks.

The top three sectors to report breaches in Q4 2018 were private health service providers (54), finance (40), and professional services firms (23).

Before and after

Troy Hunt, the Australia-based security researcher behind the Have I Been Pwned breach notification service, remains unconvinced there’s been an improvement in either breach handling or security policies as a result of the new Australian rules.

“It’s hard to tie down a tangible difference because we don’t really have measurable before and after metrics,” Hunt told The Daily Swig.

“We’re seeing an average of a couple of reports a day, so on the one hand it’s good that the system is being used, but on the other hand the criteria for reporting is so weak that it’s hard to know the real number of breaches that are occurring.”

Hunt acknowledges that the regulation may have helped in some ways, while observing that much more needs to be done to make security breaches involving Australian firms or international firms that operate in the country less calamitous.

He said: “It’s led to many board-level discussions about security that wouldn’t have happened otherwise – certainly that’s the feedback I’ve had from multiple CISOs down here – and hopefully now the program is beginning to bed in, the government can think about strengthening the reporting criteria to be more in line with the likes of GDPR.”

Fair agreed that the rules need revision, while disagreeing with Hunt about the extent of changes that might be needed.

The concept of “serious harm” ought to be more clearly defined and Australian firms who fall victim to a breach should be given the flexibility to issue more than one breach notice in cases where more information on an incident becomes available, according to Fair.

“Forensics reports don’t come quickly, and there’s a case for Australian legislation to be tweaked to reflect that,” he told The Daily Swig.

RELATED Australian data breach scheme proves a tentative success