Phil Kernick of CQR Consulting (below, right) told iTWire that he was not saying the law was pointless. "There is clearly a need for protection of personal data held by businesses," he said. "The problems arise from the fact that the laws don't effectively internalise the costs that result when a data breach occurs."
Breaches of the law, as far as failing to notify those affected by a breach, will attract fines of up to $360,000 for individuals and $1.8 million for organisations. Insufficient care of the data in question, if proved, could attract further fines. Only organisations with revenue of more than $3 million are covered.
Kernick said when a breach that resulted in the loss of personal customer data took place, there was an external cost borne by the victims.
"For the business itself, however, there is often little more than a short-term reputational loss that occurs. History shows that even companies that experience a high-profile breach tend to suffer little or no long-term negative effect on their brand or operations. Even dating site Ashley Madison continues to flourish following a massive data breach back in 2015."
As a result, he said, there had been little incentive for businesses to increase their security budgets to ensure proper protection of personal data – the associated costs had not been internalised.
"This is what needs to be achieved by effective data breach regulations. They should internalise the cost of a data breach so that the option of doing nothing becomes an expensive one to take."
Asked about the costs that a business would suffer due to class action suits following a breach and whether that would not act as an incentive to have better security, Kernick responded: "It's possible, but not probable. We aren¹t as litigious as other countries, and given the Privacy Act already defines the process and penalties, it's hard to see the Federal Court hearing such an action."
He said that under the new law, any business affected by a data breach was responsible for deciding whether "serious harm" was likely to occur to any person whose data had been compromised.
"If the company decides the serious harm bar has not been exceeded, it doesn't have to take any action as all. So, a company could simply decide that having a customer's personal contact details out on the Internet will not result in serious harm to them - and that's the end of it," he said.
"There is nothing to compel them to take any other steps. In fact, if you look at data breaches that have already occurred in Australia, it is hard to find one where the 'serious harm' definition would actually have come into play. Clearly these new rules need to be toughened up.
"If a business does decide that serious harm could occur to individuals who have had their personal data stolen, all that the management has to do is provide a statutory notification to the Privacy Commissioner who may then determine that all that's required is the posting of that declaration on its website."
Asked why the government had set the bar so low that in effect it was a case of the fox watching the hen house, Kernick pointed to a clause in the privacy law: "In order not to impose an unreasonable compliance burden on APP entities and to avoid the risk of notification fatigue among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement."
His interpretation of that was, "reading between the lines, the ALRC (Australian Law Reform Commission) seems to believe that there are going to be a lot of data breaches. The serious harm threshold will be set by common law, so expect that there will be cases intended to set exactly this bar."
As to how the law could be strengthened so that it would be more meaningful, Kernick said first, the responsibility for determining whether the serious harm bar had been exceeded should be shifted from the affected company to the Privacy Commissioner.
Then there should be a a provision included that stipulated whenever a data breach occurred, the business was obliged to contact every customer and let them know about the incident, whether it met the definition of serious harm or not. This would mean a cost for the business which would encourage them to strengthen security ahead of time.
"The Australian Government should also look closely at the privacy regulations now in place in other parts of the world," Kernick recommended. "For example, the General Data Protection Regulation rules in the European Union (which come into force in May this year) provide the ability to levy fines equivalent to 4% of a company's annual turnover."
He said if such rules existed in in Australia it would mean a change in the rules of the game.
"These extra steps need to be taken as soon as possible to internalise the costs of data breaches and ensure that businesses in Australia are taking all the steps required to effectively secure the personal data they are storing," Kernick added. "Doing nothing means the burden unfairly remains with affected individuals rather than the businesses that have been careless with their data."
When it was suggested that the law was more of band-aid to cover for the fact that Australia has no data breach law and to pacify trading partners and the public, Kernick took a more moderate tone.
"It¹s a good start. We are slow to the party but at least we are now there," he conceded. "The opportunity exists to strengthen the regulations going forward. "Remember there are still large carve-outs in the Privacy Act. State governments and local councils, which hold vast amounts of personal information, are currently exempt."