Security Market Segment LS
Tuesday, 13 February 2018 11:00

Data breach law will not change status quo: claim Featured


Australia's data breach law, which takes effect on 22 February, will be among the weakest in the world and is unlikely to impose any pressure on businesses to change the way they protect personal data at the moment, the founder and chief technology officer of a cyber security consulting firm claims.

Phil Kernick of CQR Consulting (below, right) told iTWire that he was not saying the law was pointless. "There is clearly a need for protection of personal data held by businesses," he said. "The problems arise from the fact that the laws don't effectively internalise the costs that result when a data breach occurs."

Breaches of the law, as far as failing to notify those affected by a breach, will attract fines of up to $360,000 for individuals and $1.8 million for organisations. Insufficient care of the data in question, if proved, could attract further fines. Only organisations with revenue of more than $3 million are covered.

Kernick said when a breach that resulted in the loss of personal customer data took place, there was an external cost borne by the victims.

"This cost can range from mild inconvenience for those affected, such as the need for a new credit card, to larger costs like reputational and financial damage," he pointed out.

"For the business itself, however, there is often little more than a short-term reputational loss that occurs. History shows that even companies that experience a high-profile breach tend to suffer little or no long-term negative effect on their brand or operations. Even dating site Ashley Madison continues to flourish following a massive data breach back in 2015."

phil kernick cqr consulting bigAs a result, he said, there had been little incentive for businesses to increase their security budgets to ensure proper protection of personal data – the associated costs had not been internalised.

"This is what needs to be achieved by effective data breach regulations. They should internalise the cost of a data breach so that the option of doing nothing becomes an expensive one to take."

Asked about the costs that a business would suffer due to class action suits following a breach and whether that would not act as an incentive to have better security, Kernick responded: "It's possible, but not probable. We aren¹t as litigious as other countries, and given the Privacy Act already defines the process and penalties, it's hard to see the Federal Court hearing such an action."

He said that under the new law, any business affected by a data breach was responsible for deciding whether "serious harm" was likely to occur to any person whose data had been compromised.

"If the company decides the serious harm bar has not been exceeded, it doesn't have to take any action as all. So, a company could simply decide that having a customer's personal contact details out on the Internet will not result in serious harm to them - and that's the end of it," he said.

"There is nothing to compel them to take any other steps. In fact, if you look at data breaches that have already occurred in Australia, it is hard to find one where the 'serious harm' definition would actually have come into play. Clearly these new rules need to be toughened up.

"If a business does decide that serious harm could occur to individuals who have had their personal data stolen, all that the management has to do is provide a statutory notification to the Privacy Commissioner who may then determine that all that's required is the posting of that declaration on its website."

Asked why the government had set the bar so low that in effect it was a case of the fox watching the hen house, Kernick pointed to a clause in the privacy law: "In order not to impose an unreasonable compliance burden on APP entities and to avoid the risk of notification fatigue among individuals receiving a large number of notifications in relation to non-serious breaches, it is not intended that every data breach be subject to a notification requirement."

His interpretation of that was, "reading between the lines, the ALRC (Australian Law Reform Commission) seems to believe that there are going to be a lot of data breaches. The serious harm threshold will be set by common law, so expect that there will be cases intended to set exactly this bar."

As to how the law could be strengthened so that it would be more meaningful, Kernick said first, the responsibility for determining whether the serious harm bar had been exceeded should be shifted from the affected company to the Privacy Commissioner.

Then there should be a a provision included that stipulated whenever a data breach occurred, the business was obliged to contact every customer and let them know about the incident, whether it met the definition of serious harm or not. This would mean a cost for the business which would encourage them to strengthen security ahead of time.

"The Australian Government should also look closely at the privacy regulations now in place in other parts of the world," Kernick recommended. "For example, the General Data Protection Regulation rules in the European Union (which come into force in May this year) provide the ability to levy fines equivalent to 4% of a company's annual turnover."

He said if such rules existed in in Australia it would mean a change in the rules of the game.

"These extra steps need to be taken as soon as possible to internalise the costs of data breaches and ensure that businesses in Australia are taking all the steps required to effectively secure the personal data they are storing," Kernick added. "Doing nothing means the burden unfairly remains with affected individuals rather than the businesses that have been careless with their data."

When it was suggested that the law was more of band-aid to cover for the fact that Australia has no data breach law and to pacify trading partners and the public, Kernick took a more moderate tone.

"It¹s a good start. We are slow to the party but at least we are now there," he conceded. "The opportunity exists to strengthen the regulations going forward. "Remember there are still large carve-outs in the Privacy Act. State governments and local councils, which hold vast amounts of personal information, are currently exempt."

Read 5696 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News