Mandatory Breach Notification is not a silver bullet

Australian information security practitioners breathed a collective sigh of relief when the Privacy Amendment (Notifiable Data Breaches) Act 2017 was ratified by Federal Parliament at the beginning of 2017. It was the moment that as a nation, we finally caught up with the rest of the developed world in aiming to protect private information and introducing an added element of risk to organisations who failed to secure their information from unauthorised access.

With the Privacy Amendment (Notifiable Data Breaches) Act 2017 coming into force from the 22^nd of February, 2018, the information security industry, the insurance industry and the legal industries are out in full force, spruiking their wares and seeking to maximise revenues. Helped by data breaches and major vulnerabilities discovered on an almost daily basis that are highly publicised in the mainstream media, as well as the European Union’s GDPR regime that will come into effect in mid-2018, it’s a fantastic time to be commercially involved in information security.

Given the awareness of information security risk and the saturation coverage of both cyber-crime and the impending NDB regime, logic would suggest that the existence of NDB should concern organisations enough to adopt strong information security practices to mitigate risk, deflect reputational damage and avoid costly legal battles and punitive penalties. So how do mandatory breach notification laws already in place around the world affect the frequency, severity and size of data breaches?

If we consider the US example, where mandatory breach notification laws have existed in California since 2002 (California Senate Bill 1386) and are now found in 48 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands, the number of data breaches reported is increasing at an almost exponential rate.

Judging by the data available, it would appear that NDB is having a limited effect in the US. Why would this be the case? There are a number of factors at play, including the trends in interconnectedness, the ubiquitination of cloud compute services, the breakdown of the traditional network perimeter and of course the increasing sophistication of cyber-attacks. But it would also appear that the threat of reputational damage, regulatory actions and the costs from a technical, business and legal perspective associated with cleaning up a data breach are simply not enough for many organisations to address their cyber risk.

So, if overseas experience offers an indication as to the possible success of the Mandatory Breach regime in Australia, it appears to foreshadow a significant increase in data breaches in the coming years, rather than a reduction.

The barely discussed exemptions in the Notifiable Data Breaches Act

One of the major components of the Act (and very often overlooked by those seeking to commercially benefit from the NDB) are the generous exemptions granted in regard to organisations having to notify in the event of a breach. 

Under the provisions of the Act, an Eligible Data Breach must satisfy three broad categories:

1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds
2. this is likely to result in serious harm to one or more individuals, and
3. the entity has not been able to prevent the likely risk of serious harm with remedial action. (Office of the Australian Information Commissioner, Australian Government, 2018)

The third category offers eligible organisations the ability to avoid notification, assuming their incident response plans are adequate, that they have sought sound legal advice and can justify their decisions in context of the legislation. According to the Office of the Australian Information Commissioner:

“The NDB scheme provides entities with the opportunity to take positive steps to address a data breach in a timely manner, and avoid the need to notify. If an entity takes remedial action such that the data breach would not be likely to result in serious harm, then the breach is not an eligible data breach for that entity or for any other entity (s 26WF(1), s 26WF(2), s 26WF(3)). For breaches where information is lost, the remedial action is adequate if it prevents unauthorised access to, or disclosure of personal information (s 26WF(3)).”

“If the remedial action prevents the likelihood of serious harm to some individuals within a larger group of individuals whose information was compromised in a data breach, notification to those individuals for whom harm has been prevented is not required.” (Office of the Australian Information Commissioner, Australian Government, 2018)

For most diligent organisations operating in the real world, preparing for the NDB regime is less an exercise in whether to update their firewalls, put in another layer of security and making sure that default passwords have been changed and more whether the appropriate  risk assessment has been made, a thorough incident response plan is in place, their business continuity plans are appropriate, their disaster recovery plans actually work should they be needed and they have the legal resources at hand should the need arise.

While the information security industry whips itself up into a frenzy over the NDB regime, it will be those with a long-term, invested and relationship-based view of their clients and their needs that will succeed in the long run. There is no doubt that NDB is sorely needed from a consumer protection perspective, but like all things, NDB will not be a cure-for-all and information security practitioners will need to endure the uphill battle to help organisations secure their information for some time yet.