Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Friday, 22 February 2019 09:55

Data breach law: one year and not much to show

Data breach law: one year and not much to show Pixabay

One year since the Australian Government put in place a data breach notification law, the only visible change is that the workload of the Office of the Australian Information Commissioner has increased - it has to issue quarterly breach list, But nobody is any the wiser as to how the man in the street is affected by the various breaches that are reported periodically.

The law seems to have been put in place merely to have something, anything — even tiny New Zealand had one long before Australia — rather than to be seen to be lagging behind the rest of the world.

Unlike the General Data Protection Regulation which was put in place by the European Union in May last year, the Australian law only caters for breach notification of pre-existing rights. The GDPR, on the other hand, recognises specific additional rights, including the right of reasonable access to enforcement.

The Australian law has no requirement for companies that are duty-bound to report a breach to the OAIC - there is a requirement that this should be done if turnover is more than $3 million - to also make it public.

Any companies that have gone public have done so to control the flow of information as the story was going to become common knowledge anyway.

There is no better example of this than the case of human resources firm PageUp People. The company provided highly sanitised versions of information after it suffered a massive breach, and the last time one looked, its chief executive Karen Cariss was claiming that no data had leaked to the public.

The company hired forensic investigator Klein & Co to find out the details of the breach but the only insight it offered to the public was that, "It [the investigation] concluded that while an attacker was successful in installing tools that could exfiltrate data, no specific evidence was found that data was exfiltrated." (emphasis mine).

So was there any general evidence that data was exfiltrated? (Emphasis mine again). Cariss did not mention the report anymore, but spent a good deal of the rest of a fairly long email wallowing in self-pity, outlining the strain that the company's staff were put under but having little regard to being open about the incident.

That theme — "we were hacked [due to our own incompetence] but yet we are to be pitied" — is also visible in the case of property valuation firm LandMark White which, said on its website, "Although LandMark White is one of the victims of this cyber crime, we take responsibility for this incident and deeply and sincerely regret that this incident has occurred."

In part, this is due to the authorities, and in particular the head of the Australian Cyber Security Centre, Alastair MacGibbon, who at one stage looked to be playing a PR role for PageUp.

An AFR article put it this way: "Earlier this week Australia's national cyber security adviser, Alastair MacGibbon, described PageUp as being effectively 'victimised' as a result of having to out itself to Australian customers before it even knew for certain there was a problem."

With sentiments like that being expressed by those who are supposed to be the guiding lights, it is no wonder that the legislation Australia is like a limp biscuit. A system that sees the powerful as the victims and the masses as those who deserve to remain ignorant can do no better.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments