The law seems to have been put in place merely to have something, anything — even tiny New Zealand had one long before Australia — rather than to be seen to be lagging behind the rest of the world.
Unlike the General Data Protection Regulation which was put in place by the European Union in May last year, the Australian law only caters for breach notification of pre-existing rights. The GDPR, on the other hand, recognises specific additional rights, including the right of reasonable access to enforcement.
The Australian law has no requirement for companies that are duty-bound to report a breach to the OAIC - there is a requirement that this should be done if turnover is more than $3 million - to also make it public.
There is no better example of this than the case of human resources firm PageUp People. The company provided highly sanitised versions of information after it suffered a massive breach, and the last time one looked, its chief executive Karen Cariss was claiming that no data had leaked to the public.
The company hired forensic investigator Klein & Co to find out the details of the breach but the only insight it offered to the public was that, "It [the investigation] concluded that while an attacker was successful in installing tools that could exfiltrate data, no specific evidence was found that data was exfiltrated." (emphasis mine).
So was there any general evidence that data was exfiltrated? (Emphasis mine again). Cariss did not mention the report anymore, but spent a good deal of the rest of a fairly long email wallowing in self-pity, outlining the strain that the company's staff were put under but having little regard to being open about the incident.
That theme — "we were hacked [due to our own incompetence] but yet we are to be pitied" — is also visible in the case of property valuation firm LandMark White which, said on its website, "Although LandMark White is one of the victims of this cyber crime, we take responsibility for this incident and deeply and sincerely regret that this incident has occurred."
In part, this is due to the authorities, and in particular the head of the Australian Cyber Security Centre, Alastair MacGibbon, who at one stage looked to be playing a PR role for PageUp.
An AFR article put it this way: "Earlier this week Australia's national cyber security adviser, Alastair MacGibbon, described PageUp as being effectively 'victimised' as a result of having to out itself to Australian customers before it even knew for certain there was a problem."
With sentiments like that being expressed by those who are supposed to be the guiding lights, it is no wonder that the legislation Australia is like a limp biscuit. A system that sees the powerful as the victims and the masses as those who deserve to remain ignorant can do no better.